[sslh] SSLH for XMPP related services
Nk
nk at os.vu
Thu Nov 2 18:16:49 UTC 2017
Very interesting thanks!
A few questions:
1] I’m doing all of my config in /etc/default/sslh, is it possible to add the required config there without the need for a separate file?
This is the current config:
RUN=yes
DAEMON=/usr/sbin/sslh
DAEMON_OPTS="--user sslh -p <public_IPv4>:443 -p <public_IPv6>:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --xmpp 127.0.0.1:5222 --pidfile /var/run/sslh/sslh.pid”
2] I see that ejabberd will implement 0368 in v17.09 [the repo I use still provides v17.08], but I can’t find any documentation on how to enable it on v17.09 anyway.
3] Does this mean that basically ejabberd will listen on 5223 and clients like conversations [if configured to use 5223 without SSLH] would automatically know to use such port for all connections, even, for instance, HTTP upload [that currently uses port 5444]? If so how does conversations know to route all traffic on 5223?
4] If point 3 is true and SSLH comes into play, how does SSLH distinguish between SSL traffic destined for ejabberd and that destined for nginx? And how does conversations know that behind port 443 actually then sends traffic to an "all-inclusive" port like 5223?
5] How do I set the default behaviour between ejabberd and nginx HTTPS traffic?
Thanks so much!
Nk
On 2 Nov 2017, 17:46 +0100, moparisthebest <admin at moparisthebest.com>, wrote:
> Hi,
>
> Interesting project. sslh 1.18+ already has everything you need for this
> built-in, you can get a fairly good idea from here:
>
> https://wiki.debian.org/InstallingProsody#XMPP_over_HTTPS
>
> Basically multiplex xep-368 TLS to XMPP TLS port with ALPN, you can
> multiplex startls xmpp with the built-in xmpp probe, you can multiplex
> https with 'alpn_protocols: [ "h2", "http/1.1" ];' and/or SNI, and pick
> a default (I default to https, you could default to xmpps).
>
> Thanks,
> moparisthebest
>
> On 11/02/2017 12:12 PM, Nk wrote:
> > Hi all
> >
> > First off thanks so much for this amazing piece of software.
> >
> > I’m currently using the XMPP function for an XMPP server automation
> > project called aenigma [https://github.com/openspace42/aenigma].
> >
> > I know anything can be probed using a regex, but I’d like to know if
> > anyone has already had experience with feeding XMPP HTTP uploads and
> > other services running on ports other than 5222 to SSLH.
> >
> > Either way, do I need to recompile it to add a probe?
> >
> > What’s the best way to do this?
> >
> > And lastly, is there a way to automatically select “standalone” during
> > installation in a non-interactive fashion?
> >
> > Thanks so much!
> >
> >
> > Nk
> >
> >
> >
> > _______________________________________________
> > sslh mailing list
> > sslh at rutschle.net
> > http://rutschle.net/cgi-bin/mailman/listinfo/sslh
> >
>
> _______________________________________________
> sslh mailing list
> sslh at rutschle.net
> http://rutschle.net/cgi-bin/mailman/listinfo/sslh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rutschle.net/pipermail/sslh/attachments/20171102/6d834e68/attachment.html>
More information about the sslh
mailing list