[Debian-rtc-admin] [rt.debian.org #8257] Allow debvoip to sudoedit prosody config files on vogler

[Philipp Kern via RT]

On Sun Nov 24 09:24:54 2024, pkern wrote:
> On Sat Oct 19 14:51:03 2024, debacle at debian.org wrote:
> > I guess so, but I lost all my Apache knowledge some years ago. I use
> > nginx on my private Jabber server to disentangle various TLS
> > protocols
> > all on the same port 443:
> >
> > stream {
> >       map $ssl_preread_alpn_protocols $upstream {
> >               default httpserver;
> >               "xmpp-client" xmppserver;
> >               "stun.turn" turnserver;
> >               "stun.nat-discovery" turnserver;
> >       }
> > }
> >
> > sslh can do that, too, but I'm not sure about the syntax. Also, I
> > remember rumours, that nginx were somehow "better" than sslh for that
> > task. I can check that in the XMPP operators groups chat.
> 
> It looks like haproxy could go that. But I assume prosody (and maybe
> the backends?) would still want to see the client IP? In that case
> we'd need to turn on the PROXY protocol somehow, I think. The good
> thing is that we don't run any web server on that host yet so we could
> just go and deploy haproxy.
> 
> We should be able to do things like "use_backend xmpp_server if {
> req.ssl_alpn xmpp-client }".

I was halfway through the configuration for this (https://wiki.xmpp.org/web/Tech_pages/XEP-0368 documenting it) until I noticed that you don't even serve TLS-only on Prosody. At least it doesn't look like anything is listening on port 5223.

In any case you'd also need mod_net_proxy and I assume a separate port on localhost for that.

I'd also assume that we'd want to throw an error on port 443 unless it's xmpp-client, as I don't think we run either a TURN or STUN server.

In general I am not enthusiastic about supporting firewall circumvention - in that case you should probably use a VPN. But given that it's an official standard in XEP-0368... Well, okay.

Kind regards
Philipp Kern