217
edits
Difference between revisions of "Tech pages/XEP-0368"
Jump to navigation
Jump to search
m
no edit summary
(→HAProxy: added a line to allow both 5222 and 5223 to be used, to pass compliance tests when SRV records are set like in example on this page) |
Neustradamus (talk | contribs) m |
||
| Line 80: | Line 80: | ||
( | ( | ||
{ name: "tls"; host: "127.0.0.1"; port: "442"; alpn_protocols: [ "h2", "http/1.1" ]; }, # https most common case | { name: "tls"; host: "127.0.0.1"; port: "442"; alpn_protocols: [ "h2", "http/1.1" ]; }, # https most common case | ||
{ name: "tls"; host: "127.0.0.1"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; }, # check for XEP-0368 xmpp tls (this needs to be above SNI check below because XEP-0368 would send | { name: "tls"; host: "127.0.0.1"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; }, # check for XEP-0368 xmpp tls (this needs to be above SNI check below because XEP-0368 would send domain.tld in SNI) | ||
{ name: "tls"; host: "127.0.0.1"; port: "442"; sni_hostnames: [ "www. | { name: "tls"; host: "127.0.0.1"; port: "442"; sni_hostnames: [ "www.domain.tld", "domain.tld" ]; }, # specific hostnames go to https | ||
{ name: "tls"; host: "127.0.0.1"; port: "3477"; alpn_protocols: [ "stun.turn", "stun.nat-discovery" ]; }, # turn should send ALPN, but if it doesn't... | { name: "tls"; host: "127.0.0.1"; port: "3477"; alpn_protocols: [ "stun.turn", "stun.nat-discovery" ]; }, # turn should send ALPN, but if it doesn't... | ||
{ name: "tls"; host: "127.0.0.1"; port: "3477"; sni_hostnames: [ "turn. | { name: "tls"; host: "127.0.0.1"; port: "3477"; sni_hostnames: [ "turn.domain.tld" ]; }, # we can also match turn on SNI | ||
{ name: "tls"; host: "127.0.0.1"; port: "994"; sni_hostnames: [ "imap. | { name: "tls"; host: "127.0.0.1"; port: "994"; sni_hostnames: [ "imap.domain.tld" ]; }, # other hostnames go to imaps | ||
{ name: "tls"; host: "127.0.0.1"; port: "442"; }, # anything else TLS assume for https | { name: "tls"; host: "127.0.0.1"; port: "442"; }, # anything else TLS assume for https | ||
{ name: "ssh"; host: "127.0.0.1"; port: "22"; }, # ssh goes to ssh | { name: "ssh"; host: "127.0.0.1"; port: "22"; }, # ssh goes to ssh | ||
| Line 180: | Line 180: | ||
== DNS setup == | == DNS setup == | ||
You then need to setup your [https://wiki.xmpp.org/web/SRV_Records SRV Records] so clients can find it, personally I have mine set up like so (for a JID like me@ | You then need to setup your [https://wiki.xmpp.org/web/SRV_Records SRV Records] so clients can find it, personally I have mine set up like so (for a JID like me@domain.tld): | ||
_xmpps-client._tcp. | _xmpps-client._tcp.domain.tld. 86400 IN SRV 5 0 443 xmpp.domain.tld. | ||
_xmpp-client._tcp. | _xmpp-client._tcp.domain.tld. 86400 IN SRV 10 0 443 xmpp.domain.tld. | ||
_xmpp-client._tcp. | _xmpp-client._tcp.domain.tld. 86400 IN SRV 15 0 5222 xmpp.domain.tld. | ||
This prioritizes XEP-0368 TLS over port 443 first, then plain XMPP over 443 next, and lastly plain XMPP over 5222. A client that doesn't support XEP-0368 just skips the first record. | This prioritizes XEP-0368 TLS over port 443 first, then plain XMPP over 443 next, and lastly plain XMPP over 5222. A client that doesn't support XEP-0368 just skips the first record. | ||
Please note the target can be anything, | Please note the target can be anything, domain.tld, xmpp.domain.tld, or some.unrelated.domain.net, just as long as it's listening on those ports and has a valid certificate for domain.tld in this case. | ||
If you have any questions feel free to ask the author of XEP-0368 via email, XMPP, or the nick moparisthebest in the [xmpp:xsf@muc.xmpp.org?join XSF MUC] | If you have any questions feel free to ask the author of XEP-0368 via email, XMPP, or the nick moparisthebest in the [xmpp:xsf@muc.xmpp.org?join XSF MUC] | ||