[Debian-rtc-admin] [rt.debian.org #8257] Allow debvoip to sudoedit prosody config files on vogler

Sun Nov 24 09:24:55 GMT 2024

On Sat Oct 19 14:51:03 2024, debacle at debian.org wrote:
> I guess so, but I lost all my Apache knowledge some years ago. I use
> nginx on my private Jabber server to disentangle various TLS protocols
> all on the same port 443:
> 
> stream {
> 	map $ssl_preread_alpn_protocols $upstream {
> 		default httpserver;
> 		"xmpp-client" xmppserver;
> 		"stun.turn" turnserver;
> 		"stun.nat-discovery" turnserver;
> 	}
> }
> 
> sslh can do that, too, but I'm not sure about the syntax. Also, I
> remember rumours, that nginx were somehow "better" than sslh for that
> task. I can check that in the XMPP operators groups chat.

It looks like haproxy could go that. But I assume prosody (and maybe the backends?) would still want to see the client IP? In that case we'd need to turn on the PROXY protocol somehow, I think. The good thing is that we don't run any web server on that host yet so we could just go and deploy haproxy.

We should be able to do things like "use_backend xmpp_server if { req.ssl_alpn xmpp-client }".

Kind regards
Philipp Kern