121
edits
Difference between revisions of "Tech pages/XEP-0368"
Jump to navigation
Jump to search
Add transparent proxying nginx -> ejabberd
Vanitasvitae (talk | contribs) (Add transparent proxying nginx -> ejabberd) |
|||
| (2 intermediate revisions by one other user not shown) | |||
| Line 22: | Line 22: | ||
upstream xmppserver { | upstream xmppserver { | ||
server xmppserver:5223; | server xmppserver:5223; | ||
} | |||
upstream turnserver { | |||
server turnserver:3477; | |||
} | } | ||
| Line 27: | Line 31: | ||
default httpserver; | default httpserver; | ||
"xmpp-client" xmppserver; | "xmpp-client" xmppserver; | ||
"stun.turn" turnserver; | |||
"stun.nat-discovery" turnserver; | |||
} | } | ||
| Line 35: | Line 41: | ||
proxy_pass $upstream; | proxy_pass $upstream; | ||
} | } | ||
}</nowiki> | } | ||
</nowiki> | |||
Nginx will route only TLS traffic in this configuration so this configuration will work only with direct TLS (<code>_xmpps-client</code> SRV record). Connections that start unencrypted and then request encryption (STARTTLS, <code>_xmpp-client</code> record) will not work. | Nginx will route only TLS traffic in this configuration so this configuration will work only with direct TLS (<code>_xmpps-client</code> SRV record). Connections that start unencrypted and then request encryption (STARTTLS, <code>_xmpp-client</code> record) will not work. | ||
| Line 68: | Line 75: | ||
# 5222 is a regular/plain/starttls xmpp port (prosody c2s_ports, ejabberd listen with starttls: true) | # 5222 is a regular/plain/starttls xmpp port (prosody c2s_ports, ejabberd listen with starttls: true) | ||
# 994 is "direct-tls" imap port, imaps (dovecot etc) | # 994 is "direct-tls" imap port, imaps (dovecot etc) | ||
# 3477 is TURNS (TURN-over-TLS) port (coturn etc) NOTE: coturn by default (newer versions) rejects connections from localhost, you'd either need transparent mode, or to turn this off and open up all the risks it entails, for it to accept connections from sslh | |||
protocols: | protocols: | ||
( | ( | ||
{ name: "tls"; host: "127.0.0.1"; port: "442"; alpn_protocols: [ "h2", "http/1.1" ]; }, | { name: "tls"; host: "127.0.0.1"; port: "442"; alpn_protocols: [ "h2", "http/1.1" ]; }, # https most common case | ||
{ name: "tls"; host: "127.0.0.1"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; }, | { name: "tls"; host: "127.0.0.1"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; }, # check for XEP-0368 xmpp tls (this needs to be above SNI check below because XEP-0368 would send example.org in SNI) | ||
{ name: "tls"; host: "127.0.0.1"; port: "442"; sni_hostnames: [ "www.example.org", "example.org" ]; }, # specific hostnames go to https | { name: "tls"; host: "127.0.0.1"; port: "442"; sni_hostnames: [ "www.example.org", "example.org" ]; }, # specific hostnames go to https | ||
{ name: "tls"; host: "127.0.0.1"; port: "994"; sni_hostnames: [ "imap.example.org" ]; }, | { name: "tls"; host: "127.0.0.1"; port: "3477"; alpn_protocols: [ "stun.turn", "stun.nat-discovery" ]; }, # turn should send ALPN, but if it doesn't... | ||
{ name: "tls"; host: "127.0.0.1"; port: "442"; }, | { name: "tls"; host: "127.0.0.1"; port: "3477"; sni_hostnames: [ "turn.example.org" ]; }, # we can also match turn on SNI | ||
{ name: "ssh"; host: "127.0.0.1"; port: "22"; }, | { name: "tls"; host: "127.0.0.1"; port: "994"; sni_hostnames: [ "imap.example.org" ]; }, # other hostnames go to imaps | ||
{ name: "xmpp"; host: "127.0.0.1"; port: "5222"; }, | { name: "tls"; host: "127.0.0.1"; port: "442"; }, # anything else TLS assume for https | ||
{ name: "timeout"; host: "127.0.0.1"; port: "442"; } | { name: "ssh"; host: "127.0.0.1"; port: "22"; }, # ssh goes to ssh | ||
{ name: "xmpp"; host: "127.0.0.1"; port: "5222"; }, # xmpp goes to regular xmpp port | |||
{ name: "timeout"; host: "127.0.0.1"; port: "442"; } # send everything unknown to https | |||
); | ); | ||
on-timeout: "timeout"; # if timeout elapses (2 seconds here) go to https | on-timeout: "timeout"; # if timeout elapses (2 seconds here) go to https | ||
</nowiki> | </nowiki> | ||
Another (incorrectly named) example can be found at the [https://wiki.debian.org/InstallingProsody#XMPP_over_HTTPS Debian Wiki] | Another (incorrectly named) example can be found at the [https://wiki.debian.org/InstallingProsody#XMPP_over_HTTPS Debian Wiki] | ||
== Transparent Proxying == | |||
If your XMPP server and protocol multiplexer are supporting the proxy protocol, you should consider enabling it. | |||
That way your XMPP server will see the real IPs of clients that connect to it. | |||
=== Nginx === | |||
To enable the proxy protocol in nginx, modify your configuration as follows: | |||
<nowiki> | |||
stream { | |||
... | |||
server { | |||
listen 443; | |||
ssl_preread on; | |||
proxy_pass $upstream; | |||
proxy_protocol: on; <-- add this line | |||
} | |||
} | |||
</nowiki> | |||
=== ejabberd === | |||
In case of ejabberd, you want to add an additional handler that accepts the proxy protocol: | |||
<nowiki> | |||
listen: | |||
... | |||
- | |||
port: 5225 | |||
use_proxy_protocol: true <-- Important! | |||
ip: "::" | |||
module: ejabberd_c2s | |||
max_stanza_size: 262144 | |||
shaper: c2s_shaper | |||
access: c2s | |||
tls: true | |||
protocol_options: 'TLS_OPTIONS' | |||
... | |||
</nowiki> | |||
Note that you should only connect to this handler via the proxy protocol, as other connections will be refused. | |||
Now ejabberd will display the real IPs of users that connect to your server via multiplexing over port 443. | |||
== DNS setup == | == DNS setup == | ||