-
b43
So I configured stun/turn on my server, configured the ports in the router, range too, but can only call out if im on my local network. Any ideas?
-
b43
Can receive calls from server while off my local network but only from someone on my local network...
-
rob
Probably the ports aren't open with your isp
-
b43
Whaaat?
-
b43
They do that too???
-
b43
Rob. Could you DM me please?✎ -
b43
rob: Could you DM me please? ✏
-
mjk
> Whaaat? > They do that too??? Alll the time. For your protection <3
-
Licaon_Kter
edhelas: we can talk here since it's ontopic
-
Licaon_Kter
Re: movim.eu rejecting my cert that has DST X3 as an expired intermediate
-
Menel
Secret test who is using outdated server software 😀
-
sam
Licaon_Kter: I haven't been able to communicate with movim.eu at all for a few weeks now.
-
Sam
Is anyone running a proxy in front of their XMPP server that handles XMPP up through at least auth (or possibly all the way through resource binding, but whichever)? I'd be curious to see how you have your server configured.
-
Ge0rG
I merely run a haproxy for the TCP connections without SRV.
-
rob
Same but with traefik
-
MattJ
traefik does TCP?
-
rob
And UDP
-
Licaon_Kter
moparisthebest see Sam ^^^
-
moparisthebest
Sam, like https://github.com/moparisthebest/xmpp-proxy ? kinda
-
Sam
moparisthebest: yes, but I'm thinking about doing auth at this level too and was wondering if anyone is doing that
-
jonas’
what's the use case behind it / the greater picture?
-
jonas’
something like dovecot's submissiond?
-
jonas’
(though it's unclear to me what that would be in the XMPP context)
-
moparisthebest
Sam, which kind of auth, if you mean s2s cert auth, I plan to implement that, if you mean checking client passwords, I do not plan to implement that
-
moparisthebest
right now since SASL EXTERNAL etc isn't implemented, anything behind it has to do dialback
-
Sam
I don't know submissiond, but yes, this is client auth. I have an existing DB of usernames and passwords and I'd like this to handle xmpp auth using that DB, then proxy the connection to the server (presumably using some trusted auth that fills in the sasl identity with the person it has authed as).
-
Sam
I was just curious if anyone was already doing this or if I'd need to write some custom auth plugin for ejabberd and prosody
-
moparisthebest
instead of the proxy approach prosody can just handle xmpp auth using your existing DB, that's how I have mine set up
-
moparisthebest
I assume ejabberd can too
-
Sam
Prosody can't have access to this db for <reasons>
-
moparisthebest
can you extract only the data prosody needs on a schedule, or provide it a view it can access, something like that ?
-
Sam
mostly those reasons are "I don't want to write this in Lua or Elixir or Erlang" but there may be other constraints around vetting the codebase that can access it too.
-
Sam
That seems more difficult than just proxying auth and writing a small "trusted user auth" plugin for whatever the server ends up being
-
moparisthebest
let me just tell you about my setup and it may or may not be helpful to you idea-wise :)
-
moparisthebest
I have a mysql database managed by https://github.com/postfixadmin/postfixadmin , it ends up creating rows with usernames and password hashes
-
moparisthebest
dovecot+postfix+prosody with a slightly modified https://modules.prosody.im/mod_auth_sql.html query that for auth
-
moparisthebest
but, I also want nginx to only let those users log in to web interfaces for some things using the same username+password, it's annoying to get it hooked directly to the database, but by default it can look at username+hash pairs in a .htpasswd file, so I have a bash script ran every X minutes as a cronjob that queries the mysql database and dumps it to a .htpasswd file
-
moparisthebest
if you wanted to get fancier you could run that as a change event rather than on a schedule, but, in my setup I don't care
-
ij
moparisthebest, have you ever considered switching from sql to LDAP as a auth backend for all your services?
-
moparisthebest
but that's how I have a bunch of different systems use the same auth...
-
moparisthebest
could do, but no real reason I guess
-
ij
I have had similar setups, but it is far less painful and less work to have LDAP as backend auth… should have done the move to LDAP years before
-
moparisthebest
it's worth saying you might not design a system like this from scratch :) in my case I set up postfix+dovecot+postfixadmin and didn't add XMPP until years later
-
ij
same over here, but with exim+dovecot and my own admin UI…
-
Ellenor Bjornsd.
EXIM
-
Ellenor Bjornsd.
is that the one of choice for recovering qmailers?
-
jonas’
Sam, are you aware of https://modules.prosody.im/mod_auth_http.html?
-
moparisthebest
*selfish mode on* but if you come up with a way for a proxy to communicate auth status back to prosody please let me know Sam cause I'll need that :D
-
moparisthebest
I just planned on not letting any connections get through to prosody that aren't properly authed instead, and a module for prosody to just trust everything that does get through
-
jonas’
extend mod_net_proxy to support more metadata?
-
Sam
moparisthebest: will do; I was just going to allow only connections from the proxy at a firewall level and have it do SASL with the identity set (then write a custom module for Prosody or Ejabberd that uses that instead of its own builtin SASL)
-
Sam
jonas’: that could be a viable way to set this up, although I don't really see a point in introducing HTTP (although it does already exist, so it would be easy to let the auth service do that, maybe it's worth a shot). Thanks for the link
-
rozzin
Sam: I use ejabberd with an authenticator written in PHP..., there's an "external auth" module in ejabberd that defines a simplistic protocol for communication between ejabberd and an arbitrary other program....
-
rozzin
And yes, I should probably just have a bunch of these services use LDAP....
-
rozzin
There's one set that I wish I could get to authenticate against a Google domain—if anyone has ideas on how to make ejabberd do that....
-
moparisthebest
php has smtp libraries, modify your program to try to log into google's smtp server with the provided username+password to check validity
-
mjk
Note that if a given account has 2fa enabled (which google probably forced on it), this requires use of an "app password"
-
MattJ
https://modules.prosody.im/mod_auth_imap - I think dovecot can do this too if ejabberd can auth against that