XMPP Service Operators - 2022-07-15

Screen shot?

grey: gajim.org

Hi, is it possible to reverse proxy xmpp ports such as 5222 and 5269 along with the ports used for uploads captcha etc?

gooya: it's possible to reverse-proxy xmpp, e.g. with haproxy, and there are also xmpp proxy tools like https://github.com/surevine/Metre

Ge0rG: Thanks for your reply! Can the same be achieved with nginx?

gooya: no

The XMPP support was never merged afaik

How so? I thought proxy pass serves the same intention as haproxy in that matter?

Direct TLS is probably reverse-proxyable

https://wiki.xmpp.org/web/Tech_pages/XEP-0368 has some words on the topic

Well, all I find on nginx TCP proxying is from "nginx Plus"

I wonder, how do people in that case manage to have such pretty urls like turn.example.com, xmpp.example.com, upload.example.com (without the ports included)

Only using srv records?

gooya: the TURN URLs are normally invisible, and you can run http upload on a regular HTTP reverse proxy or directly from your favorite xmppd

> https://wiki.xmpp.org/web/Tech_pages/XEP-0368 has some words on the topic So following this example, most people will setup xmpp-client using starttls without a reverse proxy and a xmpps-client (direct tls) using reverse proxy and indicating a higher weight or priority when setting up the srv record?

> gooya: the TURN URLs are normally invisible, and you can run http upload on a regular HTTP reverse proxy or directly from your favorite xmppd For e.g. how does ons have such a pretty url for upload.example.com? Is that only posdible with a reverse proxy or can you use ejabberd's mod_http_fileserver of prosody filer fileserver? and use srv records to point to the right address to get rid of the ports?

You define "pretty" as "no port included" ?

No port just means the default port.

> You define "pretty" as "no port included" ? I know this isn't really defined as a pretty url but yes

> No port just means the default port. So upload.example.com uses the default port of 5280?

gooya: I'm running prosody on port 443 of upload.yax.im as a specific example

and have it configured to return "https://upload.yax.im/" urls

https://www.example.com/ means https://www.example.com:443/

I know but when configure f.e. ejabberd the file_server module is defined using the 5280 port. Can you make the fileserver use upload.example.com instead of upload.example.com:5280 using srv records or is a reverse proxy like haproxy or nginx needed?

Sorry these might be very basic questions but I'm still developing my xmpp operator skills

> No port just means the default port. For https that means port 443, while for http it is 80.

Since http upload requires https, that means all you need (for your "pretty" URLs) is to have a thing listen on port 443 for the https service. Whether that is the XMPP server directly or via a reverse proxy doesn't matter.

I've got my own Prosody listening on port 443, without any reverse proxy.

> I've got my own Prosody listening on port 443, without any reverse proxy. But if I'm not mistaken, then you can't run another webserver like a webpage on port 443 as well

I don't.

My vps hosting doesn't allow custom ports, they define the ports for you and that is what you'll have to deal with

gooya: sslh multiplexer or nginx on 443, and redirect to whatever other ports you need ✏

I've got my webshit on a different server, insulated from anything of actual importance.

> I've got my webshit on a different server, insulated from anything of actual importance. I would've done the same if my vps wouldn't limit me as much as it does

Get another VPS

> gooya: sslh multiplexer or nginx on 443, and redirect to whatever other ports you need By chance, do you have a nginx example for this matter?

gooya: an old gist but you'll see the posibilities, for ejabberd but should get you started https://gist.github.com/54d4656cc753b98e1dc0d81a59a73faa

> https://wiki.xmpp.org/web/Tech_pages/XEP-0368 has some words on the topic !!!

> Get another VPS I chose this vps in specific as I'm a bit short on cash atm due to my university fees

gooya: can you run a webserver on https/443?

or configure a reverse proxy with your vps hosting?

> I chose this vps in specific as I'm a bit short on cash atm due to my university fees You can get a decent little vps for about $10 a year, I'll find you a link

you can get a free ARM-based VPS from Oracle

> https://wiki.xmpp.org/web/Tech_pages/XEP-0368 has some words on the topic I'll check try this for sure but it seems a bit too theoretical without many practical explantions but that's probably just me

https://www.oracle.com/cloud/free/ -> "Up to 4 instances of ARM Ampere A1"

Well, it's Oracle, so you never know...

3 EUR/month at netcup.de but I see how the others have cheaper suggestions :-)

> gooya: can you run a webserver on https/443? I believe they have some nginx locked in their vps package which you can't change so hance my workarounds.

Thanks for all the suggestions!

Ge0rG, wasn't that cursed?

> https://www.oracle.com/cloud/free/ -> "Up to 4 instances of ARM Ampere A1" > Well, it's Oracle, so you never know... What is up with oracle? Did i miss something?

Zash: I don't know. They migrated my instance once, does that count as cursed?

So I lied unintentionally, prices went up a bit since I grabbed a few. But rack nerd has 1.5gb ram 2 vcpu with 20gb disk for $16 a year. I got in for $10 something but it is only 1gb ram and a single CPU. https://lowendbox.com/blog/racknerd-new-exclusive-low-end-box-offers-1-5gb-kvm-vps-from-16-55-year-in-los-angeles/

It does renew at the same price though, so you get that deal until you delete the vps

> https://www.oracle.com/cloud/free/ -> "Up to 4 instances of ARM Ampere A1" > Well, it's Oracle, so you never know... This indeed looks promising for a free service, but what does 3000 ocpu hours mean?

How would something like that for example compare to netcup.de or rack nerd? Sorry if this is going too off-topic.

gooya: it means you can run up to 4 CPU cores in parallel permanently

ip-projects.de I have no affiliation with them but i am very pleased with their service and prices. (but your oracle examples are still chaeper)

I'm getting the urge to buy more vps.. I haven't tried arm yet

you can't buy a vps, you can only rent it

I was just thinking that after I put my phone down. Like whats a better word? Lease, buy, subscribe to

Rent?

But I also see often people 'buy' domains.

people also buy netflix.

Elons new victim?

Ownership is imaginary anyway, so call it "buy" all you want.

You also "buy" a pizza, but dont own it forever (when you eat it)

gooya: I think you are saying "reverse proxy" when you mean "multiplexing" ? ie you want all services listening on the same port right?

https://wiki.xmpp.org/web/Tech_pages/XEP-0368 has essentially the exact sslh config I use to accomplish that

> gooya: I think you are saying "reverse proxy" when you mean "multiplexing" ? ie you want all services listening on the same port right? Yes that is what I meant. Sorry still learning sone terms.

Whats about a free VPS ? Euserv.com offer one. 1Core 1GB 10GB HDD 1 IPv6 at 1GBit additional cost 1€ per 1 IPv4 It's a little one, but to do some test ? Full ssh and possibillity to sslh each port

You mean this one? Is it free perpetually? https://www.euserv.com/en/virtual-private-server/root-vserver/v2/vs2-free.php

I'm not sure how usable a VPS is without IPv4

Do they offer NAT?

No idea, but you most probably can't NAT incoming connections to your server

I've seen an offer like that in the past for $0.29/month where they gave you IPv6 and 20 IPv4 NAT port forwards along with 1 ssh port.

The 128MB plan is out of stock, but you can check it here (no endorsement) https://hosting.gullo.me/order/main/packages/nat-ipv4-vps-de/?group_id=5

were you able to choose the external ports?

I've got a VPS elsewhere, so I didn't try.

Surely all people on a given hardware share the same ports, so at most it could be a first come first serve basis, but at best you could choose random ports.

If I operated such a service, I'd probably just allocated it sequentially by container ID - sounds less complicated.

you can choose static random ports for an xmpp server thanks to SRV, but not for http uploads

No way you could get port 80/443 on such a construct, though.

Ge0rG: why not? The XMPP server sends the http upload url along with the port?

It would be interesting if someone offered such a VPS with a combined construct of also providing for a vhost web server that could forward all requests to the right port based on the Host HTTP request header, though.

moparisthebest: sorry, this whole discussion originated from somebody who wasn't able to allocate ports and wanted "nice" URLs

Oh right, well such a service could just multiplex everything TLS with SNI and send it to the proper backend server

TLS-SNI-ALPN everything! You can have the whole datacenter behind a single port!

Matrix also supports well-known - you could set it up on free static web hosting that could point to your ugly subdomain and port number as well.

There exist a ridiculous number of free PHP hosting providers to this day. Would it be feasible to implement an XMPP server on such a platform? (Although, the terms of service of most explicitly prohibit running "chat" services due to the high number of requests per hour involved)

https://github.com/bkil/freedom-fighters/blob/master/hu/free-paas-dynamic-web-hosting.md

Kinda, but why when you can get a real VPS for dollars?

It's an artistic thing - you wouldn't understand 🙊 (But _I_ already have a ~$1/month VPS running)

It was a long time since I scrolled through the standard. Are there any tweaks that could enable reducing the hourly request count of clients to reduce server load? A kind of setting about polling/reconnection frequency?

Thats not part of the standard iirc. So yes, its tweakable. Need a client that doesn't ping much, and a server that holds the connection open. If nothing happens, then there is no traffic. Its just TCP

Most providers have a response timeout between 30-90s, though. And conceptually, properly cached polling every minute should tie up much less server side resources (for <0.2s computation) than keeping the PHP interpreter loaded there for a full minute at a time from a resource sharing standpoint (even if it worked). Most such providers using CloudLinux also have a limit on entry processes, so about 10 concurrent requests can be open at a time. That means up to 10 clients talking on localhost or 5 clients + 5 federation sockets, etc.

This is the concept behind why serverless functions are also billed on the product of time and peak resident memory use.

If we assume to fork one of the existing web clients, I think we could plausibly tweak it from client side as well. Though, I imagine that people like installed apps better.

@bkil:matrix.org: > It would be interesting if someone offered such a VPS with a combined construct of also providing for a vhost web server that could forward all requests to the right port based on the Host HTTP request header, though. You will get a clean server, it is on your side to fill him with life I've ordered s.th. like that a few years ago, install prosody, install sslh and it is up and running. Some month later I need to pimp up prosody to offer vservers where each one got is own certificate. Not a single big one, each vserver got its own. Additional a little bit config in sslh and each vserver gots his own uploadport. Its your turn to make. 😉

@bkil:matrix.org: are you talking about no s2s connections?

Otherwise how do you make those and keep them open from PHP

that's illegal

you can't just offer a good product, no strings attached

you gotta block all users not using google chrome

or inject spyware and adware into your product

get with the times man

who do you think you are?

Yeah, really get along with the current way of doing online business. Harvest and sell data to operate successfully.

> <moparisthebest> Otherwise how do you make those and keep them open from PHP Good question. Again, some kind of batching and rate limiting would be nice to have so they wouldn't be open all the time either, but I guess that won't play well with other servers. I guess if we were able to federate with 5 servers and serve 30 local users at the same time it would still be better than nothing.