33
edits
Line 1: | Line 1: | ||
[https://xmpp.org/extensions/xep-0368.html XEP-0368] can be used to provide encrypted XMPP service as well as HTTPS on the same port by utilizing [https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation ALPN TLS extension]. | |||
Port 443 is commonly allowed by firewalls. To run multiple services on one port a proxy is needed to split the traffic between HTTP server and the XMPP server. | |||
Note that this will not hide XMPP traffic from sufficiently intelligent firewalls as ALPN value is still sent unencrypted. | |||
This page presents configuration hints for several popular proxies. | |||
__TOC__ | |||
== nginx == | |||
Nginx since version 1.13.10 has additional variable (<code>$ssl_preread_alpn_protocols</code>) available when using [https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html ngx_stream_ssl_preread] module (this module must be included when compiling nginx). | |||
The configuration below routes traffic with ALPN xmpp-client to server xmppserver and the rest (including HTTPS) to httpserver. | |||
<nowiki> | |||
stream { | |||
upstream httpserver { | |||
server httpserver:8181; | |||
} | |||
upstream xmppserver { | |||
server xmppserver:5223; | |||
} | |||
map $ssl_preread_alpn_protocols $upstream { | |||
default httpserver; | |||
"xmpp-client" xmppserver; | |||
} | |||
server { | |||
listen 443; | |||
ssl_preread on; | |||
proxy_pass $upstream; | |||
} | |||
}</nowiki> | |||
Nginx will route only TLS traffic in this configuration so this configuration will work only with direct TLS (<code>_xmpps-client</code> SRV record). Connections that start unencrypted and then request encryption (STARTTLS, <code>_xmpp-client</code> record) will not work. | |||
== sslh == | |||
Here is a sample sslh.conf (Using at least [http://www.rutschle.net/tech/sslh/README.html sslh] 1.18) to support [https://xmpp.org/extensions/xep-0368.html XEP-0368] among other things: | |||
<nowiki> | |||
verbose: false; | |||
foreground: true; | |||
inetd: false; | |||
numeric: true; | |||
transparent: false; | |||
timeout: "2"; | |||
user: "nobody"; | |||
pidfile: "/run/sslh.pid"; | |||
# Note: I had to use IPs everywhere and not hostnames | |||
# List of interfaces on which we should listen | |||
listen: | |||
( | |||
{ host: "0.0.0.0"; port: "443"; }, | |||
); | |||
https | # in this example: | ||
# 5223 is a "direct-tls" xmpp port (prosody legacy_ssl_ports, ejabberd listen with tls: true) | |||
# 442 is a https port (nginx, apache, etc) | |||
# 22 is an ssh port (openssh) | |||
# 5222 is a regular/plain/starttls xmpp port (prosody c2s_ports, ejabberd listen with starttls: true) | |||
# 994 is "direct-tls" imap port, imaps (dovecot etc) | |||
protocols: | |||
( | |||
{ name: "tls"; host: "127.0.0.1"; port: "442"; alpn_protocols: [ "h2", "http/1.1" ]; }, # https most common case | |||
{ name: "tls"; host: "127.0.0.1"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; }, # check for XEP-0368 xmpp tls (this needs to be above SNI check below because XEP-0368 would send example.org in SNI) | |||
{ name: "tls"; host: "127.0.0.1"; port: "442"; sni_hostnames: [ "www.example.org", "example.org" ]; }, # specific hostnames go to https | |||
{ name: "tls"; host: "127.0.0.1"; port: "994"; sni_hostnames: [ "imap.example.org" ]; }, # other hostnames go to imaps | |||
{ name: "tls"; host: "127.0.0.1"; port: "442"; }, # anything else TLS assume for https | |||
{ name: "ssh"; host: "127.0.0.1"; port: "22"; }, # ssh goes to ssh | |||
{ name: "xmpp"; host: "127.0.0.1"; port: "5222"; }, # xmpp goes to regular xmpp port | |||
{ name: "timeout"; host: "127.0.0.1"; port: "442"; } # send everything unknown to https | |||
); | |||
on-timeout: "timeout"; # if timeout elapses (2 seconds here) go to https | |||
</nowiki> | |||
Another (incorrectly named) example can be found at the [https://wiki.debian.org/InstallingProsody#XMPP_over_HTTPS Debian Wiki] | |||
== DNS setup == | |||
https:// | You then need to setup your [https://wiki.xmpp.org/web/SRV_Records SRV Records] so clients can find it, personally I have mine set up like so (for a JID like me@example.org): | ||
_xmpps-client._tcp.example.org. 86400 IN SRV 5 0 443 xmpp.example.org. | |||
_xmpp-client._tcp.example.org. 86400 IN SRV 10 0 443 xmpp.example.org. | |||
_xmpp-client._tcp.example.org. 86400 IN SRV 15 0 5222 xmpp.example.org. | |||
This prioritizes XEP-0368 TLS over port 443 first, then plain XMPP over 443 next, and lastly plain XMPP over 5222. A client that doesn't support XEP-0368 just skips the first record. | |||
Please note the target can be anything, example.org, xmpp.example.org, or some.unrelated.domain.net, just as long as it's listening on those ports and has a valid certificate for example.org in this case. | |||
If you have any questions feel free to ask the author of XEP-0368 via email, XMPP, or the nick moparisthebest in the [xmpp:xsf@muc.xmpp.org?join XSF MUC] |
edits