|
|
Line 1: |
Line 1: |
| [https://xmpp.org/extensions/xep-0368.html XEP-0368] can be used to provide encrypted XMPP service as well as HTTPS on the same port by utilizing [https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation ALPN TLS extension].
| | == Contact details == |
| Port 443 is commonly allowed by firewalls. To run multiple services on one port a proxy is needed to split the traffic between HTTP server and the XMPP server.
| |
|
| |
|
| Note that this will not hide XMPP traffic from sufficiently intelligent firewalls as ALPN value is still sent unencrypted.
| | JID / Email: pep@bouah.net |
| | |
| This page presents configuration hints for several popular proxies.
| |
| | |
| __TOC__
| |
| | |
| == nginx ==
| |
| | |
| Nginx since version 1.13.10 has additional variable (<code>$ssl_preread_alpn_protocols</code>) available when using [https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html ngx_stream_ssl_preread] module (this module must be included when compiling nginx).
| |
| | |
| The configuration below routes traffic with ALPN xmpp-client to server xmppserver and the rest (including HTTPS) to httpserver.
| |
| | |
| <nowiki>
| |
| stream {
| |
| upstream httpserver {
| |
| server httpserver:8181;
| |
| }
| |
| | |
| upstream xmppserver {
| |
| server xmppserver:5223;
| |
| }
| |
| | |
| map $ssl_preread_alpn_protocols $upstream {
| |
| default httpserver;
| |
| "xmpp-client" xmppserver;
| |
| }
| |
| | |
| server {
| |
| listen 443;
| |
| | |
| ssl_preread on;
| |
| proxy_pass $upstream;
| |
| }
| |
| }</nowiki>
| |
| | |
| Nginx will route only TLS traffic in this configuration so this configuration will work only with direct TLS (<code>_xmpps-client</code> SRV record). Connections that start unencrypted and then request encryption (STARTTLS, <code>_xmpp-client</code> record) will not work.
| |
| | |
| == sslh ==
| |
| | |
| | |
| Here is a sample sslh.conf (Using at least [http://www.rutschle.net/tech/sslh/README.html sslh] 1.18) to support [https://xmpp.org/extensions/xep-0368.html XEP-0368] among other things:
| |
| | |
| <nowiki>
| |
| verbose: false;
| |
| foreground: true;
| |
| inetd: false;
| |
| numeric: true;
| |
| transparent: false;
| |
| timeout: "2";
| |
| user: "nobody";
| |
| pidfile: "/run/sslh.pid";
| |
| | |
| # Note: I had to use IPs everywhere and not hostnames
| |
| | |
| # List of interfaces on which we should listen
| |
| listen:
| |
| (
| |
| { host: "0.0.0.0"; port: "443"; },
| |
| );
| |
| | |
| # in this example:
| |
| # 5223 is a "direct-tls" xmpp port (prosody legacy_ssl_ports, ejabberd listen with tls: true)
| |
| # 442 is a https port (nginx, apache, etc)
| |
| # 22 is an ssh port (openssh)
| |
| # 5222 is a regular/plain/starttls xmpp port (prosody c2s_ports, ejabberd listen with starttls: true)
| |
| # 994 is "direct-tls" imap port, imaps (dovecot etc)
| |
|
| |
| protocols:
| |
| (
| |
| { name: "tls"; host: "127.0.0.1"; port: "442"; alpn_protocols: [ "h2", "http/1.1" ]; }, # https most common case
| |
| { name: "tls"; host: "127.0.0.1"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; }, # check for XEP-0368 xmpp tls (this needs to be above SNI check below because XEP-0368 would send example.org in SNI)
| |
| { name: "tls"; host: "127.0.0.1"; port: "442"; sni_hostnames: [ "www.example.org", "example.org" ]; }, # specific hostnames go to https
| |
| { name: "tls"; host: "127.0.0.1"; port: "994"; sni_hostnames: [ "imap.example.org" ]; }, # other hostnames go to imaps
| |
| { name: "tls"; host: "127.0.0.1"; port: "442"; }, # anything else TLS assume for https
| |
| { name: "ssh"; host: "127.0.0.1"; port: "22"; }, # ssh goes to ssh
| |
| { name: "xmpp"; host: "127.0.0.1"; port: "5222"; }, # xmpp goes to regular xmpp port
| |
| { name: "timeout"; host: "127.0.0.1"; port: "442"; } # send everything unknown to https
| |
| );
| |
| | |
| on-timeout: "timeout"; # if timeout elapses (2 seconds here) go to https
| |
| </nowiki>
| |
| | |
| Another (incorrectly named) example can be found at the [https://wiki.debian.org/InstallingProsody#XMPP_over_HTTPS Debian Wiki]
| |
| | |
| == DNS setup ==
| |
| | |
| You then need to setup your [https://wiki.xmpp.org/web/SRV_Records SRV Records] so clients can find it, personally I have mine set up like so (for a JID like me@example.org):
| |
| | |
| _xmpps-client._tcp.example.org. 86400 IN SRV 5 0 443 xmpp.example.org.
| |
| _xmpp-client._tcp.example.org. 86400 IN SRV 10 0 443 xmpp.example.org.
| |
| _xmpp-client._tcp.example.org. 86400 IN SRV 15 0 5222 xmpp.example.org.
| |
| | |
| This prioritizes XEP-0368 TLS over port 443 first, then plain XMPP over 443 next, and lastly plain XMPP over 5222. A client that doesn't support XEP-0368 just skips the first record.
| |
| | |
| Please note the target can be anything, example.org, xmpp.example.org, or some.unrelated.domain.net, just as long as it's listening on those ports and has a valid certificate for example.org in this case.
| |
| | |
| If you have any questions feel free to ask the author of XEP-0368 via email, XMPP, or the nick moparisthebest in the [xmpp:xsf@muc.xmpp.org?join XSF MUC]
| |