33
edits
Difference between revisions of "Tech pages/XEP-0368"
Jump to navigation
Jump to search
add turns examples
(add turns examples) |
|||
| Line 22: | Line 22: | ||
upstream xmppserver { | upstream xmppserver { | ||
server xmppserver:5223; | server xmppserver:5223; | ||
} | |||
upstream turnserver { | |||
server turnserver:3477; | |||
} | } | ||
| Line 27: | Line 31: | ||
default httpserver; | default httpserver; | ||
"xmpp-client" xmppserver; | "xmpp-client" xmppserver; | ||
"stun.turn" turnserver; | |||
"stun.nat-discovery" turnserver; | |||
} | } | ||
| Line 35: | Line 41: | ||
proxy_pass $upstream; | proxy_pass $upstream; | ||
} | } | ||
}</nowiki> | } | ||
</nowiki> | |||
Nginx will route only TLS traffic in this configuration so this configuration will work only with direct TLS (<code>_xmpps-client</code> SRV record). Connections that start unencrypted and then request encryption (STARTTLS, <code>_xmpp-client</code> record) will not work. | Nginx will route only TLS traffic in this configuration so this configuration will work only with direct TLS (<code>_xmpps-client</code> SRV record). Connections that start unencrypted and then request encryption (STARTTLS, <code>_xmpp-client</code> record) will not work. | ||
| Line 68: | Line 75: | ||
# 5222 is a regular/plain/starttls xmpp port (prosody c2s_ports, ejabberd listen with starttls: true) | # 5222 is a regular/plain/starttls xmpp port (prosody c2s_ports, ejabberd listen with starttls: true) | ||
# 994 is "direct-tls" imap port, imaps (dovecot etc) | # 994 is "direct-tls" imap port, imaps (dovecot etc) | ||
# 3477 is TURNS (TURN-over-TLS) port (coturn etc) | |||
protocols: | protocols: | ||
( | ( | ||
{ name: "tls"; host: "127.0.0.1"; port: "442"; alpn_protocols: [ "h2", "http/1.1" ]; }, | { name: "tls"; host: "127.0.0.1"; port: "442"; alpn_protocols: [ "h2", "http/1.1" ]; }, # https most common case | ||
{ name: "tls"; host: "127.0.0.1"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; }, | { name: "tls"; host: "127.0.0.1"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; }, # check for XEP-0368 xmpp tls (this needs to be above SNI check below because XEP-0368 would send example.org in SNI) | ||
{ name: "tls"; host: "127.0.0.1"; port: "442"; sni_hostnames: [ "www.example.org", "example.org" ]; }, # specific hostnames go to https | { name: "tls"; host: "127.0.0.1"; port: "442"; sni_hostnames: [ "www.example.org", "example.org" ]; }, # specific hostnames go to https | ||
{ name: "tls"; host: "127.0.0.1"; port: "994"; sni_hostnames: [ "imap.example.org" ]; }, | { name: "tls"; host: "127.0.0.1"; port: "3477"; alpn_protocols: [ "stun.turn", "stun.nat-discovery" ]; }, # turn should send ALPN, but if it doesn't... | ||
{ name: "tls"; host: "127.0.0.1"; port: "442"; }, | { name: "tls"; host: "127.0.0.1"; port: "3477"; sni_hostnames: [ "turn.example.org" ]; }, # we can also match turn on SNI | ||
{ name: "ssh"; host: "127.0.0.1"; port: "22"; }, | { name: "tls"; host: "127.0.0.1"; port: "994"; sni_hostnames: [ "imap.example.org" ]; }, # other hostnames go to imaps | ||
{ name: "xmpp"; host: "127.0.0.1"; port: "5222"; }, | { name: "tls"; host: "127.0.0.1"; port: "442"; }, # anything else TLS assume for https | ||
{ name: "timeout"; host: "127.0.0.1"; port: "442"; } | { name: "ssh"; host: "127.0.0.1"; port: "22"; }, # ssh goes to ssh | ||
{ name: "xmpp"; host: "127.0.0.1"; port: "5222"; }, # xmpp goes to regular xmpp port | |||
{ name: "timeout"; host: "127.0.0.1"; port: "442"; } # send everything unknown to https | |||
); | ); | ||
on-timeout: "timeout"; # if timeout elapses (2 seconds here) go to https | on-timeout: "timeout"; # if timeout elapses (2 seconds here) go to https | ||
</nowiki> | </nowiki> | ||
Another (incorrectly named) example can be found at the [https://wiki.debian.org/InstallingProsody#XMPP_over_HTTPS Debian Wiki] | Another (incorrectly named) example can be found at the [https://wiki.debian.org/InstallingProsody#XMPP_over_HTTPS Debian Wiki] | ||