[sslh] SSLH for XMPP related services
nk at os.vu
nk at os.vu
Thu Nov 2 22:05:25 UTC 2017
________________________________
From: moparisthebest <admin at moparisthebest.com>
Sent: Nov 2, 2017 21:34
To: sslh at rutschle.net
Subject: Re: [sslh] SSLH for XMPP related services
Hi,
I'll reply in-line here.
On 11/02/2017 02:16 PM, Nk wrote:
> 1] I’m doing all of my config in /etc/default/sslh, is it possible to
> add the required config there without the need for a separate file?
Nope you'll definitively need the separate config file, you cannot
specify alpn or sni matches on the command line.
Ok thanks i see. How can I keep files as clean as possible without duplicating info between them? Can I kindly ask you for an example based on my config?
> 2] I see that ejabberd will implement 0368 in v17.09 [the repo I use
> still provides v17.08], but I can’t find any documentation on how to
> enable it on v17.09 anyway.
If I understood the ejabberd dev I asked correctly, it doesn't actually
support it in the way you need.
Not even 17.09?
> 3] Does this mean that basically ejabberd will listen on 5223 and
> clients like conversations [if configured to use 5223 without SSLH]
> would automatically know to use such port for all connections, even, for
> instance, HTTP upload [that currently uses port 5444]? If so how does
> conversations know to route all traffic on 5223?
You can do this (have xmpp clients go directly to 5223) but that doesn't
bypass firewalls that block all but 443. You'll want SSLH to forward
connections to 443 with the xmpp alpn protocol and/or sni correct. For
HTTP upload (that is inside ejabberd?) you'll be multi-plexing on
hostname (upload.example.org might go there for instance). In this way
all traffic can go over the same port 443.
I completely hadn't thought of separation based on hostname. At this point why bother with anything else if I can just implement this? How do I instruct SSLH to do this?
> 4] If point 3 is true and SSLH comes into play, how does SSLH
> distinguish between SSL traffic destined for ejabberd and that destined
> for nginx? And how does conversations know that behind port 443 actually
> then sends traffic to an "all-inclusive" port like 5223?
SSLH distinguishes different HTTPS hosts based on SNI. Conversations
knows port 443 is a xep-368 port via SRV records. It knows
upload.example.org (for example) is your http upload server because it's
configured that way.
I've found that actually conversations even when using a 443 set account tries to upload still on 5444, respecting the put url directive. I guess I could change ejabberd to listen on 443 for http upload and then set sslh to filter by hostname but maybe I should leave ejabberd's ports as standard and let clients connect directly to 5444 if they are not behind a firewall, what so you think?
How do you know that conversations actually uses 443 for everything when a custom hostname and port 443 is specified? I've tried from behind a firewall as mentioned and the error message says it was trying on 5444.
> 5] How do I set the default behaviour between ejabberd and nginx HTTPS
> traffic?
That's your default or timeout config, you'll have to pick one to
default to, probably nginx is correct here.
Ok thank you, and ok what file do I specify that?
> Thanks so much!
>
>
>
> Nk
No problem, let me know if you have other questions.
Thank you so much, sorry for the basic questions.
Thanks,
moparisthebest
> On 2 Nov 2017, 17:46 +0100, moparisthebest <admin at moparisthebest.com>,
> wrote:
>> Hi,
>>
>> Interesting project. sslh 1.18+ already has everything you need for this
>> built-in, you can get a fairly good idea from here:
>>
>> https://wiki.debian.org/InstallingProsody#XMPP_over_HTTPS
>>
>> Basically multiplex xep-368 TLS to XMPP TLS port with ALPN, you can
>> multiplex startls xmpp with the built-in xmpp probe, you can multiplex
>> https with 'alpn_protocols: [ "h2", "http/1.1" ];' and/or SNI, and pick
>> a default (I default to https, you could default to xmpps).
>>
>> Thanks,
>> moparisthebest
>>
>> On 11/02/2017 12:12 PM, Nk wrote:
>>> Hi all
>>>
>>> First off thanks so much for this amazing piece of software.
>>>
>>> I’m currently using the XMPP function for an XMPP server automation
>>> project called aenigma [https://github.com/openspace42/aenigma].
>>>
>>> I know anything can be probed using a regex, but I’d like to know if
>>> anyone has already had experience with feeding XMPP HTTP uploads and
>>> other services running on ports other than 5222 to SSLH.
>>>
>>> Either way, do I need to recompile it to add a probe?
>>>
>>> What’s the best way to do this?
>>>
>>> And lastly, is there a way to automatically select “standalone” during
>>> installation in a non-interactive fashion?
>>>
>>> Thanks so much!
>>>
>>>
>>> Nk
>>>
>>>
>>>
>>> _______________________________________________
>>> sslh mailing list
>>> sslh at rutschle.net
>>> http://rutschle.net/cgi-bin/mailman/listinfo/sslh
>>>
>>
>> _______________________________________________
>> sslh mailing list
>> sslh at rutschle.net
>> http://rutschle.net/cgi-bin/mailman/listinfo/sslh
_______________________________________________
sslh mailing list
sslh at rutschle.net
http://rutschle.net/cgi-bin/mailman/listinfo/sslh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rutschle.net/pipermail/sslh/attachments/20171102/54471993/attachment-0001.html>
More information about the sslh
mailing list