Difference between revisions of "Tech pages/XEP-0368"

Jump to navigation Jump to search
15 bytes removed ,  16:44, 26 December 2023
m
no edit summary
(→‎HAProxy: added a line to allow both 5222 and 5223 to be used, to pass compliance tests when SRV records are set like in example on this page)
m
 
Line 80: Line 80:
(
(
     { name: "tls";    host: "127.0.0.1"; port: "442";  alpn_protocols: [ "h2", "http/1.1" ]; },                  # https most common case
     { name: "tls";    host: "127.0.0.1"; port: "442";  alpn_protocols: [ "h2", "http/1.1" ]; },                  # https most common case
     { name: "tls";    host: "127.0.0.1"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; },                    # check for XEP-0368 xmpp tls (this needs to be above SNI check below because XEP-0368 would send example.org in SNI)
     { name: "tls";    host: "127.0.0.1"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; },                    # check for XEP-0368 xmpp tls (this needs to be above SNI check below because XEP-0368 would send domain.tld in SNI)
     { name: "tls";    host: "127.0.0.1"; port: "442";  sni_hostnames:  [ "www.example.org", "example.org" ]; },  # specific hostnames go to https
     { name: "tls";    host: "127.0.0.1"; port: "442";  sni_hostnames:  [ "www.domain.tld", "domain.tld" ]; },  # specific hostnames go to https
     { name: "tls";    host: "127.0.0.1"; port: "3477"; alpn_protocols: [ "stun.turn", "stun.nat-discovery" ]; }, # turn should send ALPN, but if it doesn't...
     { name: "tls";    host: "127.0.0.1"; port: "3477"; alpn_protocols: [ "stun.turn", "stun.nat-discovery" ]; }, # turn should send ALPN, but if it doesn't...
     { name: "tls";    host: "127.0.0.1"; port: "3477"; sni_hostnames:  [ "turn.example.org" ]; },                # we can also match turn on SNI
     { name: "tls";    host: "127.0.0.1"; port: "3477"; sni_hostnames:  [ "turn.domain.tld" ]; },                # we can also match turn on SNI
     { name: "tls";    host: "127.0.0.1"; port: "994";  sni_hostnames:  [ "imap.example.org" ]; },                # other hostnames go to imaps
     { name: "tls";    host: "127.0.0.1"; port: "994";  sni_hostnames:  [ "imap.domain.tld" ]; },                # other hostnames go to imaps
     { name: "tls";    host: "127.0.0.1"; port: "442"; },                                                        # anything else TLS assume for https
     { name: "tls";    host: "127.0.0.1"; port: "442"; },                                                        # anything else TLS assume for https
     { name: "ssh";    host: "127.0.0.1"; port: "22"; },                                                          # ssh goes to ssh
     { name: "ssh";    host: "127.0.0.1"; port: "22"; },                                                          # ssh goes to ssh
Line 180: Line 180:
== DNS setup ==
== DNS setup ==


You then need to setup your [https://wiki.xmpp.org/web/SRV_Records SRV Records] so clients can find it, personally I have mine set up like so (for a JID like me@example.org):
You then need to setup your [https://wiki.xmpp.org/web/SRV_Records SRV Records] so clients can find it, personally I have mine set up like so (for a JID like me@domain.tld):


  _xmpps-client._tcp.example.org. 86400 IN SRV 5  0 443  xmpp.example.org.
  _xmpps-client._tcp.domain.tld. 86400 IN SRV 5  0 443  xmpp.domain.tld.
  _xmpp-client._tcp.example.org.  86400 IN SRV 10 0 443  xmpp.example.org.
  _xmpp-client._tcp.domain.tld.  86400 IN SRV 10 0 443  xmpp.domain.tld.
  _xmpp-client._tcp.example.org.  86400 IN SRV 15 0 5222 xmpp.example.org.
  _xmpp-client._tcp.domain.tld.  86400 IN SRV 15 0 5222 xmpp.domain.tld.


This prioritizes XEP-0368 TLS over port 443 first, then plain XMPP over 443 next, and lastly plain XMPP over 5222.  A client that doesn't support XEP-0368 just skips the first record.
This prioritizes XEP-0368 TLS over port 443 first, then plain XMPP over 443 next, and lastly plain XMPP over 5222.  A client that doesn't support XEP-0368 just skips the first record.


Please note the target can be anything, example.org, xmpp.example.org, or some.unrelated.domain.net, just as long as it's listening on those ports and has a valid certificate for example.org in this case.
Please note the target can be anything, domain.tld, xmpp.domain.tld, or some.unrelated.domain.net, just as long as it's listening on those ports and has a valid certificate for domain.tld in this case.


If you have any questions feel free to ask the author of XEP-0368 via email, XMPP, or the nick moparisthebest in the [xmpp:xsf@muc.xmpp.org?join XSF MUC]
If you have any questions feel free to ask the author of XEP-0368 via email, XMPP, or the nick moparisthebest in the [xmpp:xsf@muc.xmpp.org?join XSF MUC]
217

edits

Navigation menu