216
edits
Vanitasvitae (talk | contribs) (Add transparent proxying nginx -> ejabberd) |
Neustradamus (talk | contribs) m |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 70: | Line 70: | ||
# in this example: | # in this example: | ||
# 5223 is a "direct-tls" xmpp port (prosody | # 5223 is a "direct-tls" xmpp port (prosody c2s_direct_tls_ports, ejabberd listen with tls: true) | ||
# 442 is a https port (nginx, apache, etc) | # 442 is a https port (nginx, apache, etc) | ||
# 22 is an ssh port (openssh) | # 22 is an ssh port (openssh) | ||
Line 80: | Line 80: | ||
( | ( | ||
{ name: "tls"; host: "127.0.0.1"; port: "442"; alpn_protocols: [ "h2", "http/1.1" ]; }, # https most common case | { name: "tls"; host: "127.0.0.1"; port: "442"; alpn_protocols: [ "h2", "http/1.1" ]; }, # https most common case | ||
{ name: "tls"; host: "127.0.0.1"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; }, # check for XEP-0368 xmpp tls (this needs to be above SNI check below because XEP-0368 would send | { name: "tls"; host: "127.0.0.1"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; }, # check for XEP-0368 xmpp tls (this needs to be above SNI check below because XEP-0368 would send domain.tld in SNI) | ||
{ name: "tls"; host: "127.0.0.1"; port: "442"; sni_hostnames: [ "www. | { name: "tls"; host: "127.0.0.1"; port: "442"; sni_hostnames: [ "www.domain.tld", "domain.tld" ]; }, # specific hostnames go to https | ||
{ name: "tls"; host: "127.0.0.1"; port: "3477"; alpn_protocols: [ "stun.turn", "stun.nat-discovery" ]; }, # turn should send ALPN, but if it doesn't... | { name: "tls"; host: "127.0.0.1"; port: "3477"; alpn_protocols: [ "stun.turn", "stun.nat-discovery" ]; }, # turn should send ALPN, but if it doesn't... | ||
{ name: "tls"; host: "127.0.0.1"; port: "3477"; sni_hostnames: [ "turn. | { name: "tls"; host: "127.0.0.1"; port: "3477"; sni_hostnames: [ "turn.domain.tld" ]; }, # we can also match turn on SNI | ||
{ name: "tls"; host: "127.0.0.1"; port: "994"; sni_hostnames: [ "imap. | { name: "tls"; host: "127.0.0.1"; port: "994"; sni_hostnames: [ "imap.domain.tld" ]; }, # other hostnames go to imaps | ||
{ name: "tls"; host: "127.0.0.1"; port: "442"; }, # anything else TLS assume for https | { name: "tls"; host: "127.0.0.1"; port: "442"; }, # anything else TLS assume for https | ||
{ name: "ssh"; host: "127.0.0.1"; port: "22"; }, # ssh goes to ssh | { name: "ssh"; host: "127.0.0.1"; port: "22"; }, # ssh goes to ssh | ||
Line 95: | Line 95: | ||
Another (incorrectly named) example can be found at the [https://wiki.debian.org/InstallingProsody#XMPP_over_HTTPS Debian Wiki] | Another (incorrectly named) example can be found at the [https://wiki.debian.org/InstallingProsody#XMPP_over_HTTPS Debian Wiki] | ||
== HAProxy == | |||
Here is a relevant configuration snippet from HAProxy which has XMPP c2s (both STARTTLS and TLS version), https, IMAP and TURN on port 443. Only some of the used backend examples are provided. | |||
Note the send-proxy-v2 statement - it uses proxy protocol which must be enabled in XMPP client as in the sections below, or disabled in HAProxy by removing the statement. | |||
<nowiki> | |||
frontend ft_https | |||
bind :443 | |||
mode tcp | |||
tcp-request inspect-delay 1s | |||
tcp-request content accept if { req.ssl_hello_type 1 } | |||
use_backend bk_jabber_c2s if { payload(0,5) -m str "<?xml" } | |||
use_backend bk_jabber_c2s_tls if { req.ssl_alpn xmpp-client } | |||
use_backend bk_turn if { req.ssl_alpn sturn.turn } | |||
use_backend bk_turn if { req.ssl_alpn sturn.nat-discovery } | |||
use_backend bk_imaps if { req.ssl_sni -i imap.example.com } | |||
use_backend bk_https_cdn if { req.ssl_sni -i cdn.example.com } | |||
default_backend bk_https | |||
backend bk_jabber_c2s | |||
mode tcp | |||
server jabber_c2s 192.168.1.1:5222 send-proxy-v2 | |||
backend bk_jabber_c2s_tls | |||
mode tcp | |||
server jabber_c2s 192.168.1.1:5223 send-proxy-v2 | |||
backend bk_turn | |||
mode tcp | |||
server turn 192.168.1.1:3477 send-proxy-v2 | |||
backend bk_https | |||
mode tcp | |||
server https 192.168.1.1:443 send-proxy-v2 | |||
</nowiki> | |||
== Transparent Proxying == | == Transparent Proxying == | ||
Line 143: | Line 180: | ||
== DNS setup == | == DNS setup == | ||
You then need to setup your [https://wiki.xmpp.org/web/SRV_Records SRV Records] so clients can find it, personally I have mine set up like so (for a JID like me@ | You then need to setup your [https://wiki.xmpp.org/web/SRV_Records SRV Records] so clients can find it, personally I have mine set up like so (for a JID like me@domain.tld): | ||
_xmpps-client._tcp. | _xmpps-client._tcp.domain.tld. 86400 IN SRV 5 0 443 xmpp.domain.tld. | ||
_xmpp-client._tcp. | _xmpp-client._tcp.domain.tld. 86400 IN SRV 10 0 443 xmpp.domain.tld. | ||
_xmpp-client._tcp. | _xmpp-client._tcp.domain.tld. 86400 IN SRV 15 0 5222 xmpp.domain.tld. | ||
This prioritizes XEP-0368 TLS over port 443 first, then plain XMPP over 443 next, and lastly plain XMPP over 5222. A client that doesn't support XEP-0368 just skips the first record. | This prioritizes XEP-0368 TLS over port 443 first, then plain XMPP over 443 next, and lastly plain XMPP over 5222. A client that doesn't support XEP-0368 just skips the first record. | ||
Please note the target can be anything, | Please note the target can be anything, domain.tld, xmpp.domain.tld, or some.unrelated.domain.net, just as long as it's listening on those ports and has a valid certificate for domain.tld in this case. | ||
If you have any questions feel free to ask the author of XEP-0368 via email, XMPP, or the nick moparisthebest in the [xmpp:xsf@muc.xmpp.org?join XSF MUC] | If you have any questions feel free to ask the author of XEP-0368 via email, XMPP, or the nick moparisthebest in the [xmpp:xsf@muc.xmpp.org?join XSF MUC] |
edits