XMPP Service Operators - 2022-07-15


  1. grey

    Screen shot?

  2. Licaon_Kter

    grey: gajim.org

  3. gooya

    Hi, is it possible to reverse proxy xmpp ports such as 5222 and 5269 along with the ports used for uploads captcha etc?

  4. Ge0rG

    gooya: it's possible to reverse-proxy xmpp, e.g. with haproxy, and there are also xmpp proxy tools like https://github.com/surevine/Metre

  5. gooya

    Ge0rG: Thanks for your reply! Can the same be achieved with nginx?

  6. Ge0rG

    gooya: no

  7. Zash

    The XMPP support was never merged afaik

  8. gooya

    How so? I thought proxy pass serves the same intention as haproxy in that matter?

  9. Zash

    Direct TLS is probably reverse-proxyable

  10. Zash

    https://wiki.xmpp.org/web/Tech_pages/XEP-0368 has some words on the topic

  11. Ge0rG

    Well, all I find on nginx TCP proxying is from "nginx Plus"

  12. gooya

    I wonder, how do people in that case manage to have such pretty urls like turn.example.com, xmpp.example.com, upload.example.com (without the ports included)

  13. gooya

    Only using srv records?

  14. Ge0rG

    gooya: the TURN URLs are normally invisible, and you can run http upload on a regular HTTP reverse proxy or directly from your favorite xmppd

  15. gooya

    > https://wiki.xmpp.org/web/Tech_pages/XEP-0368 has some words on the topic So following this example, most people will setup xmpp-client using starttls without a reverse proxy and a xmpps-client (direct tls) using reverse proxy and indicating a higher weight or priority when setting up the srv record?

  16. gooya

    > gooya: the TURN URLs are normally invisible, and you can run http upload on a regular HTTP reverse proxy or directly from your favorite xmppd For e.g. how does ons have such a pretty url for upload.example.com? Is that only posdible with a reverse proxy or can you use ejabberd's mod_http_fileserver of prosody filer fileserver? and use srv records to point to the right address to get rid of the ports?

  17. Zash

    You define "pretty" as "no port included" ?

  18. Zash

    No port just means the default port.

  19. gooya

    > You define "pretty" as "no port included" ? I know this isn't really defined as a pretty url but yes

  20. gooya

    > No port just means the default port. So upload.example.com uses the default port of 5280?

  21. Ge0rG

    gooya: I'm running prosody on port 443 of upload.yax.im as a specific example

  22. Ge0rG

    and have it configured to return "https://upload.yax.im/" urls

  23. Zash

    https://www.example.com/ means https://www.example.com:443/

  24. gooya

    I know but when configure f.e. ejabberd the file_server module is defined using the 5280 port. Can you make the fileserver use upload.example.com instead of upload.example.com:5280 using srv records or is a reverse proxy like haproxy or nginx needed?

  25. gooya

    Sorry these might be very basic questions but I'm still developing my xmpp operator skills

  26. Zash

    > No port just means the default port. For https that means port 443, while for http it is 80.

  27. Zash

    Since http upload requires https, that means all you need (for your "pretty" URLs) is to have a thing listen on port 443 for the https service. Whether that is the XMPP server directly or via a reverse proxy doesn't matter.

  28. Zash

    I've got my own Prosody listening on port 443, without any reverse proxy.

  29. gooya

    > I've got my own Prosody listening on port 443, without any reverse proxy. But if I'm not mistaken, then you can't run another webserver like a webpage on port 443 as well

  30. Zash

    I don't.

  31. gooya

    My vps hosting doesn't allow custom ports, they define the ports for you and that is what you'll have to deal with

  32. Licaon_Kter

    gooya: sslh multiplexer or nginx on 443

  33. Licaon_Kter

    gooya: sslh multiplexer or nginx on 443, and redirect to whatever other ports you need

  34. Zash

    I've got my webshit on a different server, insulated from anything of actual importance.

  35. gooya

    > I've got my webshit on a different server, insulated from anything of actual importance. I would've done the same if my vps wouldn't limit me as much as it does

  36. Zash

    Get another VPS

  37. gooya

    > gooya: sslh multiplexer or nginx on 443, and redirect to whatever other ports you need By chance, do you have a nginx example for this matter?

  38. Licaon_Kter

    gooya: an old gist but you'll see the posibilities, for ejabberd but should get you started https://gist.github.com/54d4656cc753b98e1dc0d81a59a73faa

  39. Zash

    > https://wiki.xmpp.org/web/Tech_pages/XEP-0368 has some words on the topic !!!

  40. gooya

    > Get another VPS I chose this vps in specific as I'm a bit short on cash atm due to my university fees

  41. Ge0rG

    gooya: can you run a webserver on https/443?

  42. Ge0rG

    or configure a reverse proxy with your vps hosting?

  43. rob

    > I chose this vps in specific as I'm a bit short on cash atm due to my university fees You can get a decent little vps for about $10 a year, I'll find you a link

  44. Ge0rG

    you can get a free ARM-based VPS from Oracle

  45. gooya

    > https://wiki.xmpp.org/web/Tech_pages/XEP-0368 has some words on the topic I'll check try this for sure but it seems a bit too theoretical without many practical explantions but that's probably just me

  46. Ge0rG

    https://www.oracle.com/cloud/free/ -> "Up to 4 instances of ARM Ampere A1"

  47. Ge0rG

    Well, it's Oracle, so you never know...

  48. Holger

    3 EUR/month at netcup.de but I see how the others have cheaper suggestions :-)

  49. gooya

    > gooya: can you run a webserver on https/443? I believe they have some nginx locked in their vps package which you can't change so hance my workarounds.

  50. gooya

    Thanks for all the suggestions!

  51. Zash

    Ge0rG, wasn't that cursed?

  52. gooya

    > https://www.oracle.com/cloud/free/ -> "Up to 4 instances of ARM Ampere A1" > Well, it's Oracle, so you never know... What is up with oracle? Did i miss something?

  53. Ge0rG

    Zash: I don't know. They migrated my instance once, does that count as cursed?

  54. rob

    So I lied unintentionally, prices went up a bit since I grabbed a few. But rack nerd has 1.5gb ram 2 vcpu with 20gb disk for $16 a year. I got in for $10 something but it is only 1gb ram and a single CPU. https://lowendbox.com/blog/racknerd-new-exclusive-low-end-box-offers-1-5gb-kvm-vps-from-16-55-year-in-los-angeles/

  55. rob

    It does renew at the same price though, so you get that deal until you delete the vps

  56. gooya

    > https://www.oracle.com/cloud/free/ -> "Up to 4 instances of ARM Ampere A1" > Well, it's Oracle, so you never know... This indeed looks promising for a free service, but what does 3000 ocpu hours mean?

  57. gooya

    How would something like that for example compare to netcup.de or rack nerd? Sorry if this is going too off-topic.

  58. Ge0rG

    gooya: it means you can run up to 4 CPU cores in parallel permanently

  59. william.chatner

    ip-projects.de I have no affiliation with them but i am very pleased with their service and prices. (but your oracle examples are still chaeper)

  60. rob

    I'm getting the urge to buy more vps.. I haven't tried arm yet

  61. Ge0rG

    you can't buy a vps, you can only rent it

  62. rob

    I was just thinking that after I put my phone down. Like whats a better word? Lease, buy, subscribe to

  63. Martin

    Rent?

  64. Martin

    But I also see often people 'buy' domains.

  65. Ge0rG

    people also buy netflix.

  66. Martin

    Elons new victim?

  67. Zash

    Ownership is imaginary anyway, so call it "buy" all you want.

  68. william.chatner

    You also "buy" a pizza, but dont own it forever (when you eat it)

  69. moparisthebest

    gooya: I think you are saying "reverse proxy" when you mean "multiplexing" ? ie you want all services listening on the same port right?

  70. moparisthebest

    https://wiki.xmpp.org/web/Tech_pages/XEP-0368 has essentially the exact sslh config I use to accomplish that

  71. gooya

    > gooya: I think you are saying "reverse proxy" when you mean "multiplexing" ? ie you want all services listening on the same port right? Yes that is what I meant. Sorry still learning sone terms.

  72. ernst.on.tour

    Whats about a free VPS ? Euserv.com offer one. 1Core 1GB 10GB HDD 1 IPv6 at 1GBit additional cost 1€ per 1 IPv4 It's a little one, but to do some test ? Full ssh and possibillity to sslh each port

  73. @bkil:matrix.org

    You mean this one? Is it free perpetually? https://www.euserv.com/en/virtual-private-server/root-vserver/v2/vs2-free.php

  74. Ge0rG

    I'm not sure how usable a VPS is without IPv4

  75. @bkil:matrix.org

    Do they offer NAT?

  76. Ge0rG

    No idea, but you most probably can't NAT incoming connections to your server

  77. @bkil:matrix.org

    I've seen an offer like that in the past for $0.29/month where they gave you IPv6 and 20 IPv4 NAT port forwards along with 1 ssh port.

  78. @bkil:matrix.org

    The 128MB plan is out of stock, but you can check it here (no endorsement) https://hosting.gullo.me/order/main/packages/nat-ipv4-vps-de/?group_id=5

  79. Ge0rG

    were you able to choose the external ports?

  80. @bkil:matrix.org

    I've got a VPS elsewhere, so I didn't try.

  81. @bkil:matrix.org

    Surely all people on a given hardware share the same ports, so at most it could be a first come first serve basis, but at best you could choose random ports.

  82. @bkil:matrix.org

    If I operated such a service, I'd probably just allocated it sequentially by container ID - sounds less complicated.

  83. Ge0rG

    you can choose static random ports for an xmpp server thanks to SRV, but not for http uploads

  84. @bkil:matrix.org

    No way you could get port 80/443 on such a construct, though.

  85. moparisthebest

    Ge0rG: why not? The XMPP server sends the http upload url along with the port?

  86. @bkil:matrix.org

    It would be interesting if someone offered such a VPS with a combined construct of also providing for a vhost web server that could forward all requests to the right port based on the Host HTTP request header, though.

  87. Ge0rG

    moparisthebest: sorry, this whole discussion originated from somebody who wasn't able to allocate ports and wanted "nice" URLs

  88. moparisthebest

    Oh right, well such a service could just multiplex everything TLS with SNI and send it to the proper backend server

  89. Ge0rG

    TLS-SNI-ALPN everything! You can have the whole datacenter behind a single port!

  90. @bkil:matrix.org

    Matrix also supports well-known - you could set it up on free static web hosting that could point to your ugly subdomain and port number as well.

  91. @bkil:matrix.org

    There exist a ridiculous number of free PHP hosting providers to this day. Would it be feasible to implement an XMPP server on such a platform? (Although, the terms of service of most explicitly prohibit running "chat" services due to the high number of requests per hour involved)

  92. @bkil:matrix.org

    https://github.com/bkil/freedom-fighters/blob/master/hu/free-paas-dynamic-web-hosting.md

  93. moparisthebest

    Kinda, but why when you can get a real VPS for dollars?

  94. @bkil:matrix.org

    It's an artistic thing - you wouldn't understand 🙊 (But _I_ already have a ~$1/month VPS running)

  95. @bkil:matrix.org

    It was a long time since I scrolled through the standard. Are there any tweaks that could enable reducing the hourly request count of clients to reduce server load? A kind of setting about polling/reconnection frequency?

  96. Menel

    Thats not part of the standard iirc. So yes, its tweakable. Need a client that doesn't ping much, and a server that holds the connection open. If nothing happens, then there is no traffic. Its just TCP

  97. @bkil:matrix.org

    Most providers have a response timeout between 30-90s, though. And conceptually, properly cached polling every minute should tie up much less server side resources (for <0.2s computation) than keeping the PHP interpreter loaded there for a full minute at a time from a resource sharing standpoint (even if it worked). Most such providers using CloudLinux also have a limit on entry processes, so about 10 concurrent requests can be open at a time. That means up to 10 clients talking on localhost or 5 clients + 5 federation sockets, etc.

  98. @bkil:matrix.org

    This is the concept behind why serverless functions are also billed on the product of time and peak resident memory use.

  99. @bkil:matrix.org

    If we assume to fork one of the existing web clients, I think we could plausibly tweak it from client side as well. Though, I imagine that people like installed apps better.

  100. ernst.on.tour

    @bkil:matrix.org: > It would be interesting if someone offered such a VPS with a combined construct of also providing for a vhost web server that could forward all requests to the right port based on the Host HTTP request header, though. You will get a clean server, it is on your side to fill him with life I've ordered s.th. like that a few years ago, install prosody, install sslh and it is up and running. Some month later I need to pimp up prosody to offer vservers where each one got is own certificate. Not a single big one, each vserver got its own. Additional a little bit config in sslh and each vserver gots his own uploadport. Its your turn to make. 😉

  101. moparisthebest

    @bkil:matrix.org: are you talking about no s2s connections?

  102. moparisthebest

    Otherwise how do you make those and keep them open from PHP

  103. nuegia.net

    that's illegal

  104. nuegia.net

    you can't just offer a good product, no strings attached

  105. nuegia.net

    you gotta block all users not using google chrome

  106. nuegia.net

    or inject spyware and adware into your product

  107. nuegia.net

    get with the times man

  108. nuegia.net

    who do you think you are?

  109. gooya

    Yeah, really get along with the current way of doing online business. Harvest and sell data to operate successfully.

  110. @bkil:matrix.org

    > <moparisthebest> Otherwise how do you make those and keep them open from PHP Good question. Again, some kind of batching and rate limiting would be nice to have so they wouldn't be open all the time either, but I guess that won't play well with other servers. I guess if we were able to federate with 5 servers and serve 30 local users at the same time it would still be better than nothing.