Difference between revisions of "Tech pages/XEP-0368"
Jump to navigation
Jump to search
| Line 42: | Line 42: | ||
Another (incorrectly named) example can be found at the [https://wiki.debian.org/InstallingProsody#XMPP_over_HTTPS Debian Wiki] | Another (incorrectly named) example can be found at the [https://wiki.debian.org/InstallingProsody#XMPP_over_HTTPS Debian Wiki] | ||
You then need to setup your [https://wiki.xmpp.org/web/SRV_Records SRV Records] so clients can find it, personally I have mine set up like so (for a JID like me@example.org): | |||
_xmpps-client._tcp.example.org. 86400 IN SRV 5 0 443 xmpp.example.org. | |||
_xmpp-client._tcp.example.org. 86400 IN SRV 10 0 443 xmpp.example.org. | |||
_xmpp-client._tcp.example.org. 86400 IN SRV 15 0 5222 xmpp.example.org. | |||
This prioritizes XEP-0368 TLS over port 443 first, then plain XMPP over 443 next, and lastly plain XMPP over 5222. A client that doesn't support XEP-0368 just skips the first record. | |||
Please note the target can be anything, example.org, xmpp.example.org, or some.unrelated.domain.net, just as long as it's listening on those ports and has a valid certificate for example.org in this case. | |||
Revision as of 15:32, 7 November 2017
Here is a sample sslh.conf (Using at least sslh 1.18) to support XEP-0368 among other things:
verbose: false;
foreground: true;
inetd: false;
numeric: true;
transparent: false;
timeout: "2";
user: "nobody";
pidfile: "/run/sslh.pid";
# Note: I had to use IPs everywhere and not hostnames
# List of interfaces on which we should listen
listen:
(
{ host: "0.0.0.0"; port: "443"; },
);
# in this example:
# 5223 is a prosody legacy_ssl_ports "direct-tls" port
# 442 is a nginx https port
# 22 is an ssh port
# 5222 is a prosody c2s_ports
# 994 is dovecot imaps port
protocols:
(
{ name: "tls"; host: "127.0.0.1"; port: "442"; alpn_protocols: [ "h2", "http/1.1" ]; }, # https/nginx most common case
{ name: "tls"; host: "127.0.0.1"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; }, # check for XEP-0368 xmpp tls
{ name: "tls"; host: "127.0.0.1"; port: "442"; sni_hostnames: [ "www.example.org", "example.org" ]; }, # specific hostnames go to nginx
{ name: "tls"; host: "127.0.0.1"; port: "994"; sni_hostnames: [ "imap.example.org" ]; }, # other hostnames go to dovecot
{ name: "tls"; host: "127.0.0.1"; port: "442"; }, # anything else TLS assume for nginx
{ name: "ssh"; host: "127.0.0.1"; port: "22"; }, # ssh goes to openssh
{ name: "xmpp"; host: "127.0.0.1"; port: "5222"; }, # xmpp goes to prosody
{ name: "timeout"; host: "127.0.0.1"; port: "442"; } # send everything unknown to nginx
);
on-timeout: "timeout"; # if timeout elapses (2 seconds here) go to nginx
Another (incorrectly named) example can be found at the Debian Wiki
You then need to setup your SRV Records so clients can find it, personally I have mine set up like so (for a JID like me@example.org):
_xmpps-client._tcp.example.org. 86400 IN SRV 5 0 443 xmpp.example.org. _xmpp-client._tcp.example.org. 86400 IN SRV 10 0 443 xmpp.example.org. _xmpp-client._tcp.example.org. 86400 IN SRV 15 0 5222 xmpp.example.org.
This prioritizes XEP-0368 TLS over port 443 first, then plain XMPP over 443 next, and lastly plain XMPP over 5222. A client that doesn't support XEP-0368 just skips the first record.
Please note the target can be anything, example.org, xmpp.example.org, or some.unrelated.domain.net, just as long as it's listening on those ports and has a valid certificate for example.org in this case.