Top-Level Options¶

Please note

This section describes top level options of ejabberd 24.12. If you are using an old ejabberd release, please refer to the corresponding archived version of this page in the Archive.

The options that changed in this version are marked with 🟤.

access_rules¶

{AccessName: {allow|deny: ACLRules|ACLName}}

This option defines Access Rules. Each access rule is assigned a name that can be referenced from other parts of the configuration file (mostly from access options of ejabberd modules). Each rule definition may contain arbitrary number of allow or deny sections, and each section may contain any number of ACL rules (see acl option). There are no access rules defined by default.

Example:

access_rules:
  configure:
    allow: admin
  something:
    deny: someone
    allow: all
  s2s_banned:
    deny: problematic_hosts
    deny: banned_forever
    deny:
      ip: 222.111.222.111/32
    deny:
      ip: 111.222.111.222/32
    allow: all
  xmlrpc_access:
    allow:
      user: peter@example.com
    allow:
      user: ivone@example.com
    allow:
      user: bot@example.com
      ip: 10.0.0.0/24

acl¶

{ACLName: {ACLType: ACLValue}}

This option defines access control lists: named sets of rules which are used to match against different targets (such as a JID or an IP address). Every set of rules has name ACLName: it can be any string except all or none (those are predefined names for the rules that match all or nothing respectively). The name ACLName can be referenced from other parts of the configuration file, for example in access_rules option. The rules of ACLName are represented by mapping {ACLType: ACLValue}. These can be one of the following:

ip: Network
The rule matches any IP address from the Network.
node_glob: Pattern
Same as node_regexp, but matching is performed on a specified Pattern according to the rules used by the Unix shell.
node_regexp: user_regexp@server_regexp
The rule matches any JID with node part matching regular expression user_regexp and server part matching regular expression server_regexp.
resource: Resource
The rule matches any JID with a resource Resource.
resource_glob: Pattern
Same as resource_regexp, but matching is performed on a specified Pattern according to the rules used by the Unix shell.
resource_regexp: Regexp
The rule matches any JID with a resource that matches regular expression Regexp.
server: Server
The rule matches any JID from server Server. The value of Server must be a valid hostname or an IP address.
server_glob: Pattern
Same as server_regexp, but matching is performed on a specified Pattern according to the rules used by the Unix shell.
server_regexp: Regexp
The rule matches any JID from the server that matches regular expression Regexp.
user: Username
If Username is in the form of "user@server", the rule matches a JID against this value. Otherwise, if Username is in the form of "user", the rule matches any JID that has Username in the node part as long as the server part of this JID is any virtual host served by ejabberd.
user_glob: Pattern
Same as user_regexp, but matching is performed on a specified Pattern according to the rules used by the Unix shell.
user_regexp: Regexp
If Regexp is in the form of "regexp@server", the rule matches any JID with node part matching regular expression "regexp" as long as the server part of this JID is equal to "server". If Regexp is in the form of "regexp", the rule matches any JID with node part matching regular expression "regexp" as long as the server part of this JID is any virtual host served by ejabberd.

acme¶

Options

ACME configuration, to automatically obtain SSL certificates for the domains served by ejabberd, which means that certificate requests and renewals are performed to some CA server (aka "ACME server") in a fully automated mode. The Options are:

auto: true | false
Whether to automatically request certificates for all configured domains (that yet have no a certificate) on server start or configuration reload. The default is true.
ca_url: URL
The ACME directory URL used as an entry point for the ACME server. The default value is https://acme-v02.api.letsencrypt.org/directory - the directory URL of Let’s Encrypt authority.
cert_type: rsa | ec
A type of a certificate key. Available values are ec and rsa for EC and RSA certificates respectively. It’s better to have RSA certificates for the purpose of backward compatibility with legacy clients and servers, thus the default is rsa.
contact: [Contact, ...]
A list of contact addresses (typically emails) where an ACME server will send notifications when problems occur. The value of Contact must be in the form of "scheme:address" (e.g. "mailto:user@domain.tld"). The default is an empty list which means an ACME server will send no notices.

Example:

acme:
  ca_url: https://acme-v02.api.letsencrypt.org/directory
  contact:
    - mailto:admin@domain.tld
    - mailto:bot@domain.tld
  auto: true
  cert_type: rsa

allow_contrib_modules¶

true | false

Whether to allow installation of third-party modules or not. See ejabberd-contrib documentation section. The default value is true.

allow_multiple_connections¶

true | false

This option is only used when the anonymous mode is enabled. Setting it to true means that the same username can be taken multiple times in anonymous login mode if different resource are used to connect. This option is only useful in very special occasions. The default value is false.

anonymous_protocol¶

login_anon | sasl_anon | both

Define what anonymous protocol will be used:

login_anon means that the anonymous login method will be used.
sasl_anon means that the SASL Anonymous method will be used.
both means that SASL Anonymous and login anonymous are both enabled.

The default value is sasl_anon.

api_permissions¶

[Permission, ...]

Define the permissions for API access. Please consult the ejabberd Docs web → For Developers → ejabberd ReST API → API Permissions.

append_host_config¶

{Host: Options}

Add a few specific options to a certain virtual host.

auth_cache_life_time¶

timeout()

Same as cache_life_time, but applied to authentication cache only. If not set, the value from cache_life_time will be used.

auth_cache_missed¶

true | false

Same as cache_missed, but applied to authentication cache only. If not set, the value from cache_missed will be used.

auth_cache_size¶

pos_integer() | infinity

Same as cache_size, but applied to authentication cache only. If not set, the value from cache_size will be used.

auth_external_user_exists_check¶

true | false

added in 23.10

Supplement check for user existence based on mod_last data, for authentication methods that don’t have a way to reliably tell if a user exists (like is the case for jwt and certificate based authentication). This helps with processing offline message for those users. The default value is true.

auth_method¶

[mnesia | sql | anonymous | external | jwt | ldap | pam, ...]

A list of authentication methods to use. If several methods are defined, authentication is considered successful as long as authentication of at least one of the methods succeeds. The default value is [mnesia].

auth_opts¶

[Option, ...]

This is used by the contributed module ejabberd_auth_http that can be installed from the ejabberd-contrib Git repository. Please refer to that module’s README file for details.

auth_password_format¶

plain | scram

improved in 20.01

The option defines in what format the users passwords are stored, plain text or in SCRAM format:

plain: The password is stored as plain text in the database. This is risky because the passwords can be read if your database gets compromised. This is the default value. This format allows clients to authenticate using: the old Jabber Non-SASL (XEP-0078), SASL PLAIN, SASL DIGEST-MD5, and SASL SCRAM-SHA-1/256/512(-PLUS).
scram: The password is not stored, only some information required to verify the hash provided by the client. It is impossible to obtain the original plain password from the stored information; for this reason, when this value is configured it cannot be changed to plain anymore. This format allows clients to authenticate using: SASL PLAIN and SASL SCRAM-SHA-1/256/512(-PLUS). The SCRAM variant depends on the auth_scram_hash option.

The default value is plain.

auth_scram_hash¶

sha | sha256 | sha512

Hash algorithm that should be used to store password in SCRAM format. You shouldn’t change this if you already have passwords generated with a different algorithm - users that have such passwords will not be able to authenticate. The default value is sha.

auth_use_cache¶

true | false

Same as use_cache, but applied to authentication cache only. If not set, the value from use_cache will be used.

c2s_cafile¶

Path

Full path to a file containing one or more CA certificates in PEM format. All client certificates should be signed by one of these root CA certificates and should contain the corresponding JID(s) in subjectAltName field. There is no default value.

You can use host_config to specify this option per-vhost.

To set a specific file per listener, use the listener’s cafile option. Please notice that c2s_cafile overrides the listener’s cafile option.

c2s_ciphers¶

[Cipher, ...]

A list of OpenSSL ciphers to use for c2s connections. The default value is shown in the example below:

Example:

c2s_ciphers:
  - HIGH
  - "!aNULL"
  - "!eNULL"
  - "!3DES"
  - "@STRENGTH"

c2s_dhfile¶

Path

Full path to a file containing custom DH parameters to use for c2s connections. Such a file could be created with the command "openssl dhparam -out dh.pem 2048". If this option is not specified, 2048-bit MODP Group with 256-bit Prime Order Subgroup will be used as defined in RFC5114 Section 2.3.

c2s_protocol_options¶

[Option, ...]

List of general SSL options to use for c2s connections. These map to OpenSSL’s set_options(). The default value is shown in the example below:

Example:

c2s_protocol_options:
  - no_sslv3
  - cipher_server_preference
  - no_compression

c2s_tls_compression¶

true | false

Whether to enable or disable TLS compression for c2s connections. The default value is false.

ca_file¶

Path

Path to a file of CA root certificates. The default is to use system defined file if possible.

For server connections, this ca_file option is overridden by the s2s_cafile option.

cache_life_time¶

timeout()

The time of a cached item to keep in cache. Once it’s expired, the corresponding item is erased from cache. The default value is 1 hour. Several modules have a similar option; and some core ejabberd parts support similar options too, see auth_cache_life_time, oauth_cache_life_time, router_cache_life_time, and sm_cache_life_time.

cache_missed¶

true | false

Whether or not to cache missed lookups. When there is an attempt to lookup for a value in a database and this value is not found and the option is set to true, this attempt will be cached and no attempts will be performed until the cache expires (see cache_life_time). Usually you don’t want to change it. Default is true. Several modules have a similar option; and some core ejabberd parts support similar options too, see auth_cache_missed, oauth_cache_missed, router_cache_missed, and sm_cache_missed.

cache_size¶

pos_integer() | infinity

A maximum number of items (not memory!) in cache. The rule of thumb, for all tables except rosters, you should set it to the number of maximum online users you expect. For roster multiply this number by 20 or so. If the cache size reaches this threshold, it’s fully cleared, i.e. all items are deleted, and the corresponding warning is logged. You should avoid frequent cache clearance, because this degrades performance. The default value is 1000. Several modules have a similar option; and some core ejabberd parts support similar options too, see auth_cache_size, oauth_cache_size, router_cache_size, and sm_cache_size.

captcha_cmd¶

Path | ModuleName

improved in 23.01

Full path to a script that generates CAPTCHA images. @VERSION@ is replaced with ejabberd version number in XX.YY format. @SEMVER@ is replaced with ejabberd version number in semver format when compiled with Elixir’s mix, or XX.YY format otherwise. Alternatively, it can be the name of a module that implements ejabberd CAPTCHA support. There is no default value: when this option is not set, CAPTCHA functionality is completely disabled.

Examples:

When using the ejabberd installers or container image, the example captcha scripts can be used like this:

captcha_cmd: /opt/ejabberd-@VERSION@/lib/ejabberd-@SEMVER@/priv/bin/captcha.sh

captcha_host¶

String

Deprecated. Use captcha_url instead.

captcha_limit¶

pos_integer() | infinity

Maximum number of CAPTCHA generated images per minute for any given JID. The option is intended to protect the server from CAPTCHA DoS. The default value is infinity.

captcha_url¶

URL | auto | undefined

improved in 23.04

An URL where CAPTCHA requests should be sent. NOTE: you need to configure request_handlers for ejabberd_http listener as well. If set to auto, it builds the URL using a request_handler already enabled, with encryption if available. If set to undefined, it builds the URL using the deprecated captcha_host + /captcha. The default value is auto.

certfiles¶

[Path, ...]

The option accepts a list of file paths (optionally with wildcards) containing either PEM certificates or PEM private keys. At startup or configuration reload, ejabberd reads all certificates from these files, sorts them, removes duplicates, finds matching private keys and then rebuilds full certificate chains for the use in TLS connections. Use this option when TLS is enabled in either of ejabberd listeners: ejabberd_c2s, ejabberd_http and so on. NOTE: if you modify the certificate files or change the value of the option, run ejabberdctl reload-config in order to rebuild and reload the certificate chains.

Examples:

If you use Let’s Encrypt certificates for your domain "domain.tld", the configuration will look like this:

certfiles:
  - /etc/letsencrypt/live/domain.tld/fullchain.pem
  - /etc/letsencrypt/live/domain.tld/privkey.pem

cluster_backend¶

Backend

A database backend to use for storing information about cluster. The only available value so far is mnesia.

cluster_nodes¶

[Node, ...]

A list of Erlang nodes to connect on ejabberd startup. This option is mostly intended for ejabberd customization and sophisticated setups. The default value is an empty list.

default_db¶

mnesia | sql

Default database to store persistent data in ejabberd. Modules and other components (e.g. authentication) may have its own value. The default value is mnesia.

default_ram_db¶

mnesia | redis | sql

Default volatile (in-memory) storage for ejabberd. Modules and other components (e.g. session management) may have its own value. The default value is mnesia.

define_macro¶

{MacroName: MacroValue}

Defines a macro. The value can be any valid arbitrary YAML value. For convenience, it’s recommended to define a MacroName in capital letters. Duplicated macros are not allowed. Macros are processed after additional configuration files have been included, so it is possible to use macros that are defined in configuration files included before the usage. It is possible to use a MacroValue in the definition of another macro.

Example:

define_macro:
  DEBUG: debug
  LOG_LEVEL: DEBUG
  USERBOB:
    user: bob@localhost

loglevel: LOG_LEVEL

acl:
  admin: USERBOB

disable_sasl_mechanisms¶

[Mechanism, ...]

Specify a list of SASL mechanisms (such as DIGEST-MD5 or SCRAM-SHA1) that should not be offered to the client. For convenience, the value of Mechanism is case-insensitive. The default value is an empty list, i.e. no mechanisms are disabled by default.

disable_sasl_scram_downgrade_protection¶

true | false

Allows to disable sending data required by XEP-0474: SASL SCRAM Downgrade Protection. There are known buggy clients (like those that use strophejs 1.6.2) which will not be able to authenticatate when servers sends data from that specification. This options allows server to disable it to allow even buggy clients connects, but in exchange decrease MITM protection. The default value of this option is false which enables this extension.

domain_balancing¶

{Domain: Options}

An algorithm to load-balance the components that are plugged on an ejabberd cluster. It means that you can plug one or several instances of the same component on each ejabberd node and that the traffic will be automatically distributed. The algorithm to deliver messages to the component(s) can be specified by this option. For any component connected as Domain, available Options are:

component_number: 2..1000
The number of components to balance.
type: Value
How to deliver stanzas to connected components. The default value is random. Possible values:

- bare_destination
by the bare JID (without resource) of the packet’s to attribute

- bare_source
by the bare JID (without resource) of the packet’s from attribute is used

- destination
an instance is chosen by the full JID of the packet’s to attribute

- random
an instance is chosen at random

- source
by the full JID of the packet’s from attribute

Example:
```
domain_balancing:
  component.domain.tld:
    type: destination
    component_number: 5
  transport.example.org:
    type: bare_source
```

ext_api_headers¶

Headers

String of headers (separated with commas ,) that will be provided by ejabberd when sending ReST requests. The default value is an empty string of headers: "".

ext_api_http_pool_size¶

pos_integer()

Define the size of the HTTP pool, that is, the maximum number of sessions that the ejabberd ReST service will handle simultaneously. The default value is: 100.

ext_api_path_oauth¶

Path

Define the base URI path when performing OAUTH ReST requests. The default value is: "/oauth".

ext_api_url¶

URL

Define the base URI when performing ReST requests. The default value is: "http://localhost/api".

extauth_pool_name¶

Name

Define the pool name appendix in external auth, so the full pool name will be extauth_pool_Name. The default value is the hostname.

extauth_pool_size¶

Size

The option defines the number of instances of the same external auth program to start for better load balancing. The default is the number of available CPU cores.

extauth_program¶

Path

Indicate in this option the full path to the external authentication script. The script must be executable by ejabberd.

fqdn¶

Domain

A fully qualified domain name that will be used in SASL DIGEST-MD5 authentication. The default is detected automatically.

hide_sensitive_log_data¶

true | false

A privacy option to not log sensitive data (mostly IP addresses). The default value is false for backward compatibility.

host_config¶

{Host: Options}

The option is used to redefine Options for virtual host Host. In the example below LDAP authentication method will be used on virtual host domain.tld and SQL method will be used on virtual host example.org.

Example:

hosts:
  - domain.tld
  - example.org

auth_method:
  - sql

host_config:
  domain.tld:
    auth_method:
      - ldap

hosts¶

[Domain1, Domain2, ...]

List of one or more host names (or domains) that ejabberd will serve. This is a mandatory option.

include_config_file¶

[Filename, ...] | {Filename: Options}

Read and include additional file from Filename. If the value is provided in {Filename: Options} format, the Options must be one of the following:

allow_only: [OptionName, ...]
Allows only the usage of those options in the included file Filename. The options that do not match this criteria are not accepted. The default value is to include all options.
disallow: [OptionName, ...]
Disallows the usage of those options in the included file Filename. The options that match this criteria are not accepted. The default value is an empty list.

install_contrib_modules¶

[Module, ...]

added in 23.10

Modules to install from ejabberd-contrib at start time. The default value is an empty list of modules: [].

jwt_auth_only_rule¶

AccessName

This ACL rule defines accounts that can use only the JWT auth method, even if others are also defined in the ejabberd configuration file. In other words: if there are several auth methods enabled for this host (JWT, SQL, …), users that match this rule can only use JWT. The default value is none.

jwt_jid_field¶

FieldName

By default, the JID is defined in the "jid" JWT field. In this option you can specify other JWT field name where the JID is defined.

jwt_key¶

FilePath

Path to the file that contains the JWT key. The default value is undefined.

language¶

Language

Define the default language of server strings that can be seen by XMPP clients. If an XMPP client does not possess xml:lang attribute, the specified language is used. The default value is "en".

ldap_backups¶

[Host, ...]

A list of IP addresses or DNS names of LDAP backup servers (see LDAP connection). When no servers listed in ldap_servers option are reachable, ejabberd connects to these backup servers. The default is an empty list, i.e. no backup servers specified. Please notice that ejabberd only connects to the next server when the existing connection is lost; it doesn’t detect when a previously-attempted server becomes available again.

ldap_base¶

Base

LDAP base directory which stores users accounts. There is no default value: you must set the option in order for LDAP connections to work properly.

ldap_deref_aliases¶

never | always | finding | searching

Whether to dereference aliases or not. The default value is never.

ldap_dn_filter¶

{Filter: FilterAttrs}

This filter is applied on the results returned by the main filter. The filter performs an additional LDAP lookup to make the complete result. This is useful when you are unable to define all filter rules in ldap_filter. You can define "%u", "%d", "%s" and "%D" pattern variables in Filter: "%u" is replaced by a user’s part of the JID, "%d" is replaced by the corresponding domain (virtual host), all "%s" variables are consecutively replaced by values from the attributes in FilterAttrs and "%D" is replaced by Distinguished Name from the result set. There is no default value, which means the result is not filtered. WARNING: Since this filter makes additional LDAP lookups, use it only as the last resort: try to define all filter rules in ldap_filter option if possible.

Example:

ldap_dn_filter:
  "(&(name=%s)(owner=%D)(user=%u@%d))": [sn]

ldap_encrypt¶

tls | none

Whether to encrypt LDAP connection using TLS or not. The default value is none. NOTE: STARTTLS encryption is not supported.

ldap_filter¶

Filter

An LDAP filter as defined in RFC4515. There is no default value. Example: "(&(objectClass=shadowAccount)(memberOf=XMPP Users))". NOTE: don’t forget to close brackets and don’t use superfluous whitespaces. Also you must not use "uid" attribute in the filter because this attribute will be appended to the filter automatically.

ldap_password¶

Password

Bind password. The default value is an empty string.

ldap_port¶

1..65535

Port to connect to your LDAP server. The default port is 389 if encryption is disabled and 636 if encryption is enabled.

ldap_rootdn¶

RootDN

Bind Distinguished Name. The default value is an empty string, which means "anonymous connection".

ldap_servers¶

[Host, ...]

A list of IP addresses or DNS names of your LDAP servers (see LDAP connection). ejabberd connects immediately to all of them, and reconnects infinitely if connection is lost. The default value is [localhost].

ldap_tls_cacertfile¶

Path

A path to a file containing PEM encoded CA certificates. This option is required when TLS verification is enabled.

ldap_tls_certfile¶

Path

A path to a file containing PEM encoded certificate along with PEM encoded private key. This certificate will be provided by ejabberd when TLS enabled for LDAP connections. There is no default value, which means no client certificate will be sent.

ldap_tls_depth¶

Number

Specifies the maximum verification depth when TLS verification is enabled, i.e. how far in a chain of certificates the verification process can proceed before the verification is considered to be failed. Peer certificate = 0, CA certificate = 1, higher level CA certificate = 2, etc. The value 2 thus means that a chain can at most contain peer cert, CA cert, next CA cert, and an additional CA cert. The default value is 1.

ldap_tls_verify¶

false | soft | hard

This option specifies whether to verify LDAP server certificate or not when TLS is enabled. When hard is set, ejabberd doesn’t proceed if the certificate is invalid. When soft is set, ejabberd proceeds even if the check has failed. The default is false, which means no checks are performed.

ldap_uids¶

[Attr] | {Attr: AttrFormat}

LDAP attributes which hold a list of attributes to use as alternatives for getting the JID, where Attr is an LDAP attribute which holds the user’s part of the JID and AttrFormat must contain one and only one pattern variable "%u" which will be replaced by the user’s part of the JID. For example, "%u@example.org". If the value is in the form of [Attr] then AttrFormat is assumed to be "%u".

listen¶

[Options, ...]

The option for listeners configuration. See the Listen Modules section for details.

log_burst_limit_count¶

Number

added in 22.10

The number of messages to accept in log_burst_limit_window_time period before starting to drop them. Default 500

log_burst_limit_window_time¶

Number

added in 22.10

The time period to rate-limit log messages by. Defaults to 1 second.

log_modules_fully¶

[Module, ...]

added in 23.01

List of modules that will log everything independently from the general loglevel option.

log_rotate_count¶

Number

The number of rotated log files to keep. The default value is 1, which means that only keeps ejabberd.log.0, error.log.0 and crash.log.0.

log_rotate_size¶

pos_integer() | infinity

The size (in bytes) of a log file to trigger rotation. If set to infinity, log rotation is disabled. The default value is 10 Mb expressed in bytes: 10485760.

loglevel¶

Verbosity of ejabberd logging. The default value is info. NOTE: previous versions of ejabberd had log levels defined in numeric format (0..5). The numeric values are still accepted for backward compatibility, but are not recommended.

max_fsm_queue¶

Size

This option specifies the maximum number of elements in the queue of the FSM (Finite State Machine). Roughly speaking, each message in such queues represents one XML stanza queued to be sent into its relevant outgoing stream. If queue size reaches the limit (because, for example, the receiver of stanzas is too slow), the FSM and the corresponding connection (if any) will be terminated and error message will be logged. The reasonable value for this option depends on your hardware configuration. The allowed values are positive integers. The default value is 10000.

modules¶

{Module: Options}

Set all the modules configuration options.

negotiation_timeout¶

timeout()

Time to wait for an XMPP stream negotiation to complete. When timeout occurs, the corresponding XMPP stream is closed. The default value is 120 seconds.

net_ticktime¶

timeout()

This option can be used to tune tick time parameter of net_kernel. It tells Erlang VM how often nodes should check if intra-node communication was not interrupted. This option must have identical value on all nodes, or it will lead to subtle bugs. Usually leaving default value of this is option is best, tweak it only if you know what you are doing. The default value is 1 minute.

new_sql_schema¶

true | false

Whether to use the new SQL schema. All schemas are located at https://github.com/processone/ejabberd/tree/24.12/sql. There are two schemas available. The default legacy schema stores one XMPP domain into one ejabberd database. The new schema can handle several XMPP domains in a single ejabberd database. Using this new schema is best when serving several XMPP domains and/or changing domains from time to time. This avoid need to manage several databases and handle complex configuration changes. The default depends on configuration flag --enable-new-sql-schema which is set at compile time.

oauth_access¶

AccessName

By default creating OAuth tokens is not allowed. To define which users can create OAuth tokens, you can refer to an ejabberd access rule in the oauth_access option. Use all to allow everyone to create tokens.

oauth_cache_life_time¶

timeout()

Same as cache_life_time, but applied to OAuth cache only. If not set, the value from cache_life_time will be used.

oauth_cache_missed¶

true | false

Same as cache_missed, but applied to OAuth cache only. If not set, the value from cache_missed will be used.

oauth_cache_rest_failure_life_time¶

timeout()

added in 21.01

The time that a failure in OAuth ReST is cached. The default value is infinity.

oauth_cache_size¶

pos_integer() | infinity

Same as cache_size, but applied to OAuth cache only. If not set, the value from cache_size will be used.

oauth_client_id_check¶

allow | db | deny

Define whether the client authentication is always allowed, denied, or it will depend if the client ID is present in the database. The default value is allow.

oauth_db_type¶

mnesia | sql

Database backend to use for OAuth authentication. The default value is picked from default_db option, or if it’s not set, mnesia will be used.

oauth_expire¶

timeout()

Time during which the OAuth token is valid, in seconds. After that amount of time, the token expires and the delegated credential cannot be used and is removed from the database. The default is 4294967 seconds.

oauth_use_cache¶

true | false

Same as use_cache, but applied to OAuth cache only. If not set, the value from use_cache will be used.

oom_killer¶

true | false

Enable or disable OOM (out-of-memory) killer. When system memory raises above the limit defined in oom_watermark option, ejabberd triggers OOM killer to terminate most memory consuming Erlang processes. Note that in order to maintain functionality, ejabberd only attempts to kill transient processes, such as those managing client sessions, s2s or database connections. The default value is true.

oom_queue¶

Size

Trigger OOM killer when some of the running Erlang processes have messages queue above this Size. Note that such processes won’t be killed if oom_killer option is set to false or if oom_watermark is not reached yet.

oom_watermark¶

Percent

A percent of total system memory consumed at which OOM killer should be activated with some of the processes possibly be killed (see oom_killer option). Later, when memory drops below this Percent, OOM killer is deactivated. The default value is 80 percents.

outgoing_s2s_families¶

[ipv6 | ipv4, ...]

changed in 23.01

Specify which address families to try, in what order. The default is [ipv6, ipv4] which means it first tries connecting with IPv6, if that fails it tries using IPv4. This option is obsolete and irrelevant when using ejabberd 23.01 and Erlang/OTP 22, or newer versions of them.

outgoing_s2s_ipv4_address¶

Address

added in 20.12

Specify the IPv4 address that will be used when establishing an outgoing S2S IPv4 connection, for example "127.0.0.1". The default value is undefined.

outgoing_s2s_ipv6_address¶

Address

added in 20.12

Specify the IPv6 address that will be used when establishing an outgoing S2S IPv6 connection, for example "::FFFF:127.0.0.1". The default value is undefined.

outgoing_s2s_port¶

1..65535

A port number to use for outgoing s2s connections when the target server doesn’t have an SRV record. The default value is 5269.

outgoing_s2s_timeout¶

timeout()

The timeout in seconds for outgoing S2S connection attempts. The default value is 10 seconds.

pam_service¶

Name

This option defines the PAM service name. Refer to the PAM documentation of your operation system for more information. The default value is ejabberd.

pam_userinfotype¶

username | jid

This option defines what type of information about the user ejabberd provides to the PAM service: only the username, or the user’s JID. Default is username.

pgsql_users_number_estimate¶

true | false

Whether to use PostgreSQL estimation when counting registered users. The default value is false.

queue_dir¶

Directory

If queue_type option is set to file, use this Directory to store file queues. The default is to keep queues inside Mnesia directory.

queue_type¶

ram | file

Default type of queues in ejabberd. Modules may have its own value of the option. The value of ram means that queues will be kept in memory. If value file is set, you may also specify directory in queue_dir option where file queues will be placed. The default value is ram.

redis_connect_timeout¶

timeout()

A timeout to wait for the connection to be re-established to the Redis server. The default is 1 second.

redis_db¶

Number

Redis database number. The default is 0.

redis_password¶

Password

The password to the Redis server. The default is an empty string, i.e. no password.

redis_pool_size¶

Number

The number of simultaneous connections to the Redis server. The default value is 10.

redis_port¶

1..65535

The port where the Redis server is accepting connections. The default is 6379.

redis_queue_type¶

ram | file

The type of request queue for the Redis server. See description of queue_type option for the explanation. The default value is the value defined in queue_type or ram if the latter is not set.

redis_server 🟤¶

Host | IP Address | Unix Socket Path

improved in 24.12

A hostname, IP address or unix domain socket file of the Redis server. Setup the path to unix domain socket like: "unix:/path/to/socket". The default value is localhost.

registration_timeout¶

timeout()

This is a global option for module mod_register. It limits the frequency of registrations from a given IP or username. So, a user that tries to register a new account from the same IP address or JID during this time after their previous registration will receive an error with the corresponding explanation. To disable this limitation, set the value to infinity. The default value is 600 seconds.

resource_conflict¶

setresource | closeold | closenew

NOTE: this option is deprecated and may be removed anytime in the future versions. The possible values match exactly the three possibilities described in XMPP Core: section 7.7.2.2. The default value is closeold. If the client uses old Jabber Non-SASL authentication (XEP-0078), then this option is not respected, and the action performed is closeold.

router_cache_life_time¶

timeout()

Same as cache_life_time, but applied to routing table cache only. If not set, the value from cache_life_time will be used.

router_cache_missed¶

true | false

Same as cache_missed, but applied to routing table cache only. If not set, the value from cache_missed will be used.

router_cache_size¶

pos_integer() | infinity

Same as cache_size, but applied to routing table cache only. If not set, the value from cache_size will be used.

router_db_type¶

mnesia | redis | sql

Database backend to use for routing information. The default value is picked from default_ram_db option, or if it’s not set, mnesia will be used.

router_use_cache¶

true | false

Same as use_cache, but applied to routing table cache only. If not set, the value from use_cache will be used.

rpc_timeout¶

timeout()

A timeout for remote function calls between nodes in an ejabberd cluster. You should probably never change this value since those calls are used for internal needs only. The default value is 5 seconds.

s2s_access¶

Access

This Access Rule defines to what remote servers can s2s connections be established. The default value is all; no restrictions are applied, it is allowed to connect s2s to/from all remote servers.

s2s_cafile¶

Path

A path to a file with CA root certificates that will be used to authenticate s2s connections. If not set, the value of ca_file will be used.

You can use host_config to specify this option per-vhost.

s2s_ciphers¶

[Cipher, ...]

A list of OpenSSL ciphers to use for s2s connections. The default value is shown in the example below:

Example:

s2s_ciphers:
  - HIGH
  - "!aNULL"
  - "!eNULL"
  - "!3DES"
  - "@STRENGTH"

s2s_dhfile¶

Path

Full path to a file containing custom DH parameters to use for s2s connections. Such a file could be created with the command "openssl dhparam -out dh.pem 2048". If this option is not specified, 2048-bit MODP Group with 256-bit Prime Order Subgroup will be used as defined in RFC5114 Section 2.3.

s2s_dns_retries¶

Number

DNS resolving retries. The default value is 2.

s2s_dns_timeout¶

timeout()

The timeout for DNS resolving. The default value is 10 seconds.

s2s_max_retry_delay¶

timeout()

The maximum allowed delay for s2s connection retry to connect after a failed connection attempt. The default value is 300 seconds (5 minutes).

s2s_protocol_options¶

[Option, ...]

List of general SSL options to use for s2s connections. These map to OpenSSL’s set_options(). The default value is shown in the example below:

Example:

s2s_protocol_options:
  - no_sslv3
  - cipher_server_preference
  - no_compression

s2s_queue_type¶

ram | file

The type of a queue for s2s packets. See description of queue_type option for the explanation. The default value is the value defined in queue_type or ram if the latter is not set.

s2s_timeout¶

timeout()

A time to wait before closing an idle s2s connection. The default value is 1 hour.

s2s_tls_compression¶

true | false

Whether to enable or disable TLS compression for s2s connections. The default value is false.

s2s_use_starttls¶

true | false | optional | required

Whether to use STARTTLS for s2s connections. The value of false means STARTTLS is prohibited. The value of true or optional means STARTTLS is enabled but plain connections are still allowed. And the value of required means that only STARTTLS connections are allowed. The default value is false (for historical reasons).

s2s_zlib¶

true | false

Whether to use zlib compression (as defined in XEP-0138) or not. The default value is false. WARNING: this type of compression is nowadays considered insecure.

shaper¶

{ShaperName: Rate}

The option defines a set of shapers. Every shaper is assigned a name ShaperName that can be used in other parts of the configuration file, such as shaper_rules option. The shaper itself is defined by its Rate, where Rate stands for the maximum allowed incoming rate in bytes per second. When a connection exceeds this limit, ejabberd stops reading from the socket until the average rate is again below the allowed maximum. In the example below shaper normal limits the traffic speed to 1,000 bytes/sec and shaper fast limits the traffic speed to 50,000 bytes/sec:

Example:

shaper:
  normal: 1000
  fast: 50000

shaper_rules¶

{ShaperRuleName: {Number|ShaperName: ACLRule|ACLName}}

This option defines shaper rules to use for matching user/hosts. Semantics is similar to access_rules option, the only difference is that instead using allow or deny, a name of a shaper (defined in shaper option) or a positive number should be used.

Example:

shaper_rules:
  connections_limit:
    10:
      user: peter@example.com
    100: admin
    5: all
  download_speed:
    fast: admin
    slow: anonymous_users
    normal: all
  log_days: 30

sm_cache_life_time¶

timeout()

Same as cache_life_time, but applied to client sessions table cache only. If not set, the value from cache_life_time will be used.

sm_cache_missed¶

true | false

Same as cache_missed, but applied to client sessions table cache only. If not set, the value from cache_missed will be used.

sm_cache_size¶

pos_integer() | infinity

Same as cache_size, but applied to client sessions table cache only. If not set, the value from cache_size will be used.

sm_db_type¶

mnesia | redis | sql

Database backend to use for client sessions information. The default value is picked from default_ram_db option, or if it’s not set, mnesia will be used.

sm_use_cache¶

true | false

Same as use_cache, but applied to client sessions table cache only. If not set, the value from use_cache will be used.

sql_connect_timeout¶

timeout()

A time to wait for connection to an SQL server to be established. The default value is 5 seconds.

sql_database¶

Database

An SQL database name. For SQLite this must be a full path to a database file. The default value is ejabberd.

sql_flags¶

[mysql_alternative_upsert]

added in 24.02

This option accepts a list of SQL flags, and is empty by default. mysql_alternative_upsert forces the alternative upsert implementation in MySQL.

sql_keepalive_interval¶

timeout()

An interval to make a dummy SQL request to keep alive the connections to the database. There is no default value, so no keepalive requests are made.

sql_odbc_driver¶

Path

added in 20.12

Path to the ODBC driver to use to connect to a Microsoft SQL Server database. This option only applies if the sql_type option is set to mssql and sql_server is not an ODBC connection string. The default value is: libtdsodbc.so

sql_password¶

Password

The password for SQL authentication. The default is empty string.

sql_pool_size¶

Size

Number of connections to the SQL server that ejabberd will open for each virtual host. The default value is 10. WARNING: for SQLite this value is 1 by default and it’s not recommended to change it due to potential race conditions.

sql_port¶

1..65535

The port where the SQL server is accepting connections. The default is 3306 for MySQL, 5432 for PostgreSQL and 1433 for MS SQL. The option has no effect for SQLite.

sql_prepared_statements¶

true | false

added in 20.01

This option is true by default, and is useful to disable prepared statements. The option is valid for PostgreSQL and MySQL.

sql_query_timeout¶

timeout()

A time to wait for an SQL query response. The default value is 60 seconds.

sql_queue_type¶

ram | file

The type of a request queue for the SQL server. See description of queue_type option for the explanation. The default value is the value defined in queue_type or ram if the latter is not set.

sql_server¶

Host | IP Address | ODBC Connection String | Unix Socket Path

improved in 24.06

The hostname or IP address of the SQL server. For sql_type mssql or odbc this can also be an ODBC connection string. When sql_type is mysql or pgsql, this can be the path to a unix domain socket expressed like: "unix:/path/to/socket".The default value is localhost.

sql_ssl¶

true | false

improved in 20.03

Whether to use SSL encrypted connections to the SQL server. The option is only available for MySQL, MS SQL and PostgreSQL. The default value is false.

sql_ssl_cafile¶

Path

A path to a file with CA root certificates that will be used to verify SQL connections. Implies sql_ssl and sql_ssl_verify options are set to true. There is no default which means certificate verification is disabled. This option has no effect for MS SQL.

sql_ssl_certfile¶

Path

A path to a certificate file that will be used for SSL connections to the SQL server. Implies sql_ssl option is set to true. There is no default which means ejabberd won’t provide a client certificate to the SQL server. This option has no effect for MS SQL.

sql_ssl_verify¶

true | false

Whether to verify SSL connection to the SQL server against CA root certificates defined in sql_ssl_cafile option. Implies sql_ssl option is set to true. This option has no effect for MS SQL. The default value is false.

sql_start_interval¶

timeout()

A time to wait before retrying to restore failed SQL connection. The default value is 30 seconds.

sql_type¶

mssql | mysql | odbc | pgsql | sqlite

The type of an SQL connection. The default is odbc.

sql_username¶

Username

A user name for SQL authentication. The default value is ejabberd.

trusted_proxies¶

all | [Network1, Network2, ...]

Specify what proxies are trusted when an HTTP request contains the header X-Forwarded-For. You can specify all to allow all proxies, or specify a list of IPs, possibly with masks. The default value is an empty list. Using this option you can know the real IP of the request, for admin purpose, or security configuration (for example using mod_fail2ban). IMPORTANT: The proxy MUST be configured to set the X-Forwarded-For header if you enable this option as, otherwise, the client can set it itself and as a result the IP value cannot be trusted for security rules in ejabberd.

update_sql_schema¶

true | false

updated in 24.06

Allow ejabberd to update SQL schema in MySQL, PostgreSQL and SQLite databases. This option was added in ejabberd 23.10, and enabled by default since 24.06. The default value is true.

update_sql_schema_timeout¶

timeout()

added in 24.07

Time allocated to SQL schema update queries. The default value is set to 5 minutes.

use_cache¶

true | false

Enable or disable cache. The default is true. Several modules have a similar option; and some core ejabberd parts support similar options too, see auth_use_cache, oauth_use_cache, router_use_cache, and sm_use_cache.

validate_stream¶

true | false

Whether to validate any incoming XML packet according to the schemas of supported XMPP extensions. WARNING: the validation is only intended for the use by client developers - don’t enable it in production environment. The default value is false.

version¶

string()

The option can be used to set custom ejabberd version, that will be used by different parts of ejabberd, for example by mod_version module. The default value is obtained at compile time from the underlying version control system.

websocket_origin¶

ignore | URL

This option enables validation for Origin header to protect against connections from other domains than given in the configuration file. In this way, the lower layer load balancer can be chosen for a specific ejabberd implementation while still providing a secure WebSocket connection. The default value is ignore. An example value of the URL is "https://test.example.org:8081".

websocket_ping_interval¶

timeout()

Defines time between pings sent by the server to a client (WebSocket level protocol pings are used for this) to keep a connection active. If the client doesn’t respond to two consecutive pings, the connection will be assumed as closed. The value of 0 can be used to disable the feature. This option makes the server sending pings only for connections using the RFC compliant protocol. For older style connections the server expects that whitespace pings would be used for this purpose. The default value is 60 seconds.

websocket_timeout¶

timeout()

Amount of time without any communication after which the connection would be closed. The default value is 300 seconds.