3
edits
(Add summary and section about nginx) |
|||
Line 1: | Line 1: | ||
[https://xmpp.org/extensions/xep-0368.html XEP-0368] can be used to provide encrypted XMPP service as well as HTTPS on the same port by utilizing [https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation ALPN TLS extension]. | |||
Port 443 is commonly allowed by firewalls. To run multiple services on one port a proxy is needed to split the traffic between HTTP server and the XMPP server. | |||
Note that this will not hide XMPP traffic from sufficiently intelligent firewalls as APLN value is still sent unencrypted. | |||
This page presents configuration hints for several popular proxies. | |||
__TOC__ | |||
== nginx == | |||
Nginx since version 1.13.10 has additional variable (<code>$ssl_preread_alpn_protocols</code>) available when using <code>ngx_stream_ssl_preread</code> module (this module must be included when compiling nginx). | |||
The configuration below routes traffic with APLN xmpp-client to server xmppserver and the rest (including HTTPS) to httpserver. | |||
<nowiki> | |||
stream { | |||
upstream httpserver { | |||
server httpserver:8181; | |||
} | |||
upstream xmppserver { | |||
server xmppserver:5223; | |||
} | |||
map $ssl_preread_alpn_protocols $upstream { | |||
default httpserver; | |||
"xmpp-client" xmppserver; | |||
} | |||
server { | |||
listen 443; | |||
ssl_preread on; | |||
proxy_pass $upstream; | |||
} | |||
}</nowiki> | |||
Nginx will route only TLS traffic in this configuration so this configuration will work only with direct TLS (<code>_xmpps-client</code> SRV record). Connections that start unencrypted and then request encryption (STARTTLS, <code>_xmpp-client</code> record) will not work. | |||
== sslh == | |||
Here is a sample sslh.conf (Using at least [http://www.rutschle.net/tech/sslh/README.html sslh] 1.18) to support [https://xmpp.org/extensions/xep-0368.html XEP-0368] among other things: | Here is a sample sslh.conf (Using at least [http://www.rutschle.net/tech/sslh/README.html sslh] 1.18) to support [https://xmpp.org/extensions/xep-0368.html XEP-0368] among other things: | ||
edits