Difference between pages "XMPP Newsletter" and "Tech pages/XEP-0368"

From XMPP WIKI
(Difference between pages)
Jump to navigation Jump to search
 
 
Line 1: Line 1:
Here you can submit news items for inclusion in the next XMPP Newsletter (as managed by the [[CommTeam]]).
[https://xmpp.org/extensions/xep-0368.html XEP-0368] can be used to provide encrypted XMPP service as well as HTTPS on the same port by utilizing [https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation ALPN TLS extension].
Port 443 is commonly allowed by firewalls. To run multiple services on one port a proxy is needed to split the traffic between HTTP server and the XMPP server.


Note that this will not hide XMPP traffic from sufficiently intelligent firewalls as ALPN value is still sent unencrypted.


== What determines relevancy? ==
This page presents configuration hints for several popular proxies.


The submission must ideally be a blog or article about XMPP/Jabber and/or
__TOC__
XMPP-based software (clients, servers, libs).


Some exceptions might be made, for example for a release page showing a new
== nginx ==
release of some XMPP-based software.


However, marketing brochures (e.g. single-page marketing sites) for new products
Nginx since version 1.13.10 has additional variable (<code>$ssl_preread_alpn_protocols</code>) available when using [https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html ngx_stream_ssl_preread] module (this module must be included when compiling nginx).
which don't contain information on XMPP, won't be included.


== Submissions ==
The configuration below routes traffic with ALPN xmpp-client to server xmppserver and the rest (including HTTPS) to httpserver.


=== Articles ===
<nowiki>
stream {
    upstream httpserver {
        server httpserver:8181;
    }


https://www.couponudemy.com/blog/the-complete-xmpp-course-chat-server-setup-android-ios-apps/
    upstream xmppserver {
        server xmppserver:5223;
    }


https://news.jabberfr.org/2018/10/actualite-xmpp/
    map $ssl_preread_alpn_protocols $upstream {
https://linuxfr.org/news/traduction-de-la-lettre-d-actualite-xmpp-d-octobre-2018-par-jabberfr#comment-1751056
        default httpserver;
        "xmpp-client" xmppserver;
    }


=== Videos ===
    server {
        listen 443;


=== Events ===
        ssl_preread on;
        proxy_pass $upstream;
    }
}</nowiki>


https://www.meetup.com/fr-FR/Berlin-XMPP-Meetup/events/255192726/
Nginx will route only TLS traffic in this configuration so this configuration will work only with direct TLS (<code>_xmpps-client</code> SRV record). Connections that start unencrypted and then request encryption (STARTTLS, <code>_xmpp-client</code> record) will not work.


[[Sprints/2018 November Dusseldorf]]
== sslh ==


Board and Council elections
https://wiki.xmpp.org/web/Board_and_Council_Elections_2018#Board_of_Directors


=== Extensions and specifications ===
Here is a sample sslh.conf (Using at least [http://www.rutschle.net/tech/sslh/README.html sslh] 1.18) to support [https://xmpp.org/extensions/xep-0368.html XEP-0368] among other things:


=== Software releases ===
<nowiki>
         
verbose: false;
==== Servers ====
foreground: true;
inetd: false;
numeric: true;
transparent: false;
timeout: "2";
user: "nobody";
pidfile: "/run/sslh.pid";


https://tigase.net/blog-entry/tigase-xmpp-server-v714-released
# Note: I had to use IPs everywhere and not hostnames


==== Clients ====
# List of interfaces on which we should listen
listen:
(
    { host: "0.0.0.0"; port: "443"; },
);


https://www.goffi.org/b/74BwHSApD7w7Tr9L9fvR82/news-control-your-media-player-from-omemo
# in this example:
# 5223 is a "direct-tls" xmpp port (prosody legacy_ssl_ports, ejabberd listen with tls: true)
# 442 is a https port (nginx, apache, etc)
# 22 is an ssh port (openssh)
# 5222 is a regular/plain/starttls xmpp port (prosody c2s_ports, ejabberd listen with starttls: true)
# 994 is "direct-tls" imap port, imaps (dovecot etc)
protocols:
(
    { name: "tls";    host: "127.0.0.1"; port: "442";  alpn_protocols: [ "h2", "http/1.1" ]; },                # https most common case
    { name: "tls";    host: "127.0.0.1"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; },                    # check for XEP-0368 xmpp tls (this needs to be above SNI check below because XEP-0368 would send example.org in SNI)
    { name: "tls";    host: "127.0.0.1"; port: "442";  sni_hostnames:  [ "www.example.org", "example.org" ]; }, # specific hostnames go to https
    { name: "tls";    host: "127.0.0.1"; port: "994";  sni_hostnames:  [ "imap.example.org" ]; },              # other hostnames go to imaps
    { name: "tls";    host: "127.0.0.1"; port: "442"; },                                                        # anything else TLS assume for https
    { name: "ssh";    host: "127.0.0.1"; port: "22"; },                                                        # ssh goes to ssh
    { name: "xmpp";    host: "127.0.0.1"; port: "5222"; },                                                      # xmpp goes to regular xmpp port
    { name: "timeout"; host: "127.0.0.1"; port: "442"; }                                                        # send everything unknown to https
);


https://github.com/conversejs/converse.js/releases/tag/v4.0.2
on-timeout: "timeout"; # if timeout elapses (2 seconds here) go to https
https://github.com/conversejs/converse.js/releases/tag/v4.0.3
</nowiki>


==== Libraries ====
Another (incorrectly named) example can be found at the [https://wiki.debian.org/InstallingProsody#XMPP_over_HTTPS Debian Wiki]


https://discourse.igniterealtime.org/t/smack-4-3-1-released/83075
== DNS setup ==


https://tigase.net/blog-entry/tigase-client-library-v320-released
You then need to setup your [https://wiki.xmpp.org/web/SRV_Records SRV Records] so clients can find it, personally I have mine set up like so (for a JID like me@example.org):


https://github.com/xmppjs/xmpp.js/releases/tag/v0.5.2
_xmpps-client._tcp.example.org. 86400 IN SRV 5  0 443  xmpp.example.org.
_xmpp-client._tcp.example.org.  86400 IN SRV 10 0 443  xmpp.example.org.
_xmpp-client._tcp.example.org.  86400 IN SRV 15 0 5222 xmpp.example.org.


https://github.com/strophe/strophejs/releases/tag/v1.3.0
This prioritizes XEP-0368 TLS over port 443 first, then plain XMPP over 443 next, and lastly plain XMPP over 5222. A client that doesn't support XEP-0368 just skips the first record.


=== Services ===
Please note the target can be anything, example.org, xmpp.example.org, or some.unrelated.domain.net, just as long as it's listening on those ports and has a valid certificate for example.org in this case.


https://twitter.com/MarcelWaldvogel/status/1051822583816044545
If you have any questions feel free to ask the author of XEP-0368 via email, XMPP, or the nick moparisthebest in the [xmpp:xsf@muc.xmpp.org?join XSF MUC]

Revision as of 15:50, 22 October 2018

XEP-0368 can be used to provide encrypted XMPP service as well as HTTPS on the same port by utilizing ALPN TLS extension. Port 443 is commonly allowed by firewalls. To run multiple services on one port a proxy is needed to split the traffic between HTTP server and the XMPP server.

Note that this will not hide XMPP traffic from sufficiently intelligent firewalls as ALPN value is still sent unencrypted.

This page presents configuration hints for several popular proxies.

nginx

Nginx since version 1.13.10 has additional variable ($ssl_preread_alpn_protocols) available when using ngx_stream_ssl_preread module (this module must be included when compiling nginx).

The configuration below routes traffic with ALPN xmpp-client to server xmppserver and the rest (including HTTPS) to httpserver.

stream {
    upstream httpserver {
        server httpserver:8181;
    }

    upstream xmppserver {
        server xmppserver:5223;
    }

    map $ssl_preread_alpn_protocols $upstream {
        default httpserver;
        "xmpp-client" xmppserver;
    }

    server {
        listen 443;

        ssl_preread on;
        proxy_pass $upstream;
    }
}

Nginx will route only TLS traffic in this configuration so this configuration will work only with direct TLS (_xmpps-client SRV record). Connections that start unencrypted and then request encryption (STARTTLS, _xmpp-client record) will not work.

sslh

Here is a sample sslh.conf (Using at least sslh 1.18) to support XEP-0368 among other things:

verbose: false;
foreground: true;
inetd: false;
numeric: true;
transparent: false;
timeout: "2";
user: "nobody";
pidfile: "/run/sslh.pid";

# Note: I had to use IPs everywhere and not hostnames

# List of interfaces on which we should listen
listen:
(
    { host: "0.0.0.0"; port: "443"; },
);

# in this example:
# 5223 is a "direct-tls" xmpp port (prosody legacy_ssl_ports, ejabberd listen with tls: true)
# 442 is a https port (nginx, apache, etc)
# 22 is an ssh port (openssh)
# 5222 is a regular/plain/starttls xmpp port (prosody c2s_ports, ejabberd listen with starttls: true)
# 994 is "direct-tls" imap port, imaps (dovecot etc)
 
protocols:
(
     { name: "tls";     host: "127.0.0.1"; port: "442";  alpn_protocols: [ "h2", "http/1.1" ]; },                 # https most common case
     { name: "tls";     host: "127.0.0.1"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; },                    # check for XEP-0368 xmpp tls (this needs to be above SNI check below because XEP-0368 would send example.org in SNI)
     { name: "tls";     host: "127.0.0.1"; port: "442";  sni_hostnames:  [ "www.example.org", "example.org" ]; }, # specific hostnames go to https
     { name: "tls";     host: "127.0.0.1"; port: "994";  sni_hostnames:  [ "imap.example.org" ]; },               # other hostnames go to imaps
     { name: "tls";     host: "127.0.0.1"; port: "442"; },                                                        # anything else TLS assume for https
     { name: "ssh";     host: "127.0.0.1"; port: "22"; },                                                         # ssh goes to ssh
     { name: "xmpp";    host: "127.0.0.1"; port: "5222"; },                                                       # xmpp goes to regular xmpp port
     { name: "timeout"; host: "127.0.0.1"; port: "442"; }                                                         # send everything unknown to https
);

on-timeout: "timeout"; # if timeout elapses (2 seconds here) go to https

Another (incorrectly named) example can be found at the Debian Wiki

DNS setup

You then need to setup your SRV Records so clients can find it, personally I have mine set up like so (for a JID like me@example.org):

_xmpps-client._tcp.example.org. 86400 IN SRV 5  0 443  xmpp.example.org.
_xmpp-client._tcp.example.org.  86400 IN SRV 10 0 443  xmpp.example.org.
_xmpp-client._tcp.example.org.  86400 IN SRV 15 0 5222 xmpp.example.org.

This prioritizes XEP-0368 TLS over port 443 first, then plain XMPP over 443 next, and lastly plain XMPP over 5222. A client that doesn't support XEP-0368 just skips the first record.

Please note the target can be anything, example.org, xmpp.example.org, or some.unrelated.domain.net, just as long as it's listening on those ports and has a valid certificate for example.org in this case.

If you have any questions feel free to ask the author of XEP-0368 via email, XMPP, or the nick moparisthebest in the XSF MUC