-
grey
Screen shot?
-
Licaon_Kter
grey: gajim.org
-
gooya
Hi, is it possible to reverse proxy xmpp ports such as 5222 and 5269 along with the ports used for uploads captcha etc?
-
Ge0rG
gooya: it's possible to reverse-proxy xmpp, e.g. with haproxy, and there are also xmpp proxy tools like https://github.com/surevine/Metre
-
gooya
Ge0rG: Thanks for your reply! Can the same be achieved with nginx?
-
Ge0rG
gooya: no
-
Zash
The XMPP support was never merged afaik
-
gooya
How so? I thought proxy pass serves the same intention as haproxy in that matter?
-
Zash
Direct TLS is probably reverse-proxyable
-
Zash
https://wiki.xmpp.org/web/Tech_pages/XEP-0368 has some words on the topic
-
Ge0rG
Well, all I find on nginx TCP proxying is from "nginx Plus"
-
gooya
I wonder, how do people in that case manage to have such pretty urls like turn.example.com, xmpp.example.com, upload.example.com (without the ports included)
-
gooya
Only using srv records?
-
Ge0rG
gooya: the TURN URLs are normally invisible, and you can run http upload on a regular HTTP reverse proxy or directly from your favorite xmppd
-
gooya
> https://wiki.xmpp.org/web/Tech_pages/XEP-0368 has some words on the topic So following this example, most people will setup xmpp-client using starttls without a reverse proxy and a xmpps-client (direct tls) using reverse proxy and indicating a higher weight or priority when setting up the srv record?
-
gooya
> gooya: the TURN URLs are normally invisible, and you can run http upload on a regular HTTP reverse proxy or directly from your favorite xmppd For e.g. how does ons have such a pretty url for upload.example.com? Is that only posdible with a reverse proxy or can you use ejabberd's mod_http_fileserver of prosody filer fileserver? and use srv records to point to the right address to get rid of the ports?
-
Zash
You define "pretty" as "no port included" ?
-
Zash
No port just means the default port.
-
gooya
> You define "pretty" as "no port included" ? I know this isn't really defined as a pretty url but yes
-
gooya
> No port just means the default port. So upload.example.com uses the default port of 5280?
-
Ge0rG
gooya: I'm running prosody on port 443 of upload.yax.im as a specific example
-
Ge0rG
and have it configured to return "https://upload.yax.im/" urls
-
Zash
https://www.example.com/ means https://www.example.com:443/
-
gooya
I know but when configure f.e. ejabberd the file_server module is defined using the 5280 port. Can you make the fileserver use upload.example.com instead of upload.example.com:5280 using srv records or is a reverse proxy like haproxy or nginx needed?
-
gooya
Sorry these might be very basic questions but I'm still developing my xmpp operator skills
-
Zash
> No port just means the default port. For https that means port 443, while for http it is 80.
-
Zash
Since http upload requires https, that means all you need (for your "pretty" URLs) is to have a thing listen on port 443 for the https service. Whether that is the XMPP server directly or via a reverse proxy doesn't matter.
-
Zash
I've got my own Prosody listening on port 443, without any reverse proxy.
-
gooya
> I've got my own Prosody listening on port 443, without any reverse proxy. But if I'm not mistaken, then you can't run another webserver like a webpage on port 443 as well
-
Zash
I don't.
-
gooya
My vps hosting doesn't allow custom ports, they define the ports for you and that is what you'll have to deal with
-
Licaon_Kter
gooya: sslh multiplexer or nginx on 443✎ -
Licaon_Kter
gooya: sslh multiplexer or nginx on 443, and redirect to whatever other ports you need ✏
-
Zash
I've got my webshit on a different server, insulated from anything of actual importance.
-
gooya
> I've got my webshit on a different server, insulated from anything of actual importance. I would've done the same if my vps wouldn't limit me as much as it does
-
Zash
Get another VPS
-
gooya
> gooya: sslh multiplexer or nginx on 443, and redirect to whatever other ports you need By chance, do you have a nginx example for this matter?
-
Licaon_Kter
gooya: an old gist but you'll see the posibilities, for ejabberd but should get you started https://gist.github.com/54d4656cc753b98e1dc0d81a59a73faa
-
Zash
> https://wiki.xmpp.org/web/Tech_pages/XEP-0368 has some words on the topic !!!
-
gooya
> Get another VPS I chose this vps in specific as I'm a bit short on cash atm due to my university fees
-
Ge0rG
gooya: can you run a webserver on https/443?
-
Ge0rG
or configure a reverse proxy with your vps hosting?
-
rob
> I chose this vps in specific as I'm a bit short on cash atm due to my university fees You can get a decent little vps for about $10 a year, I'll find you a link
-
Ge0rG
you can get a free ARM-based VPS from Oracle
-
gooya
> https://wiki.xmpp.org/web/Tech_pages/XEP-0368 has some words on the topic I'll check try this for sure but it seems a bit too theoretical without many practical explantions but that's probably just me
-
Ge0rG
https://www.oracle.com/cloud/free/ -> "Up to 4 instances of ARM Ampere A1"
-
Ge0rG
Well, it's Oracle, so you never know...
-
Holger
3 EUR/month at netcup.de but I see how the others have cheaper suggestions :-)
-
gooya
> gooya: can you run a webserver on https/443? I believe they have some nginx locked in their vps package which you can't change so hance my workarounds.
-
gooya
Thanks for all the suggestions!
-
Zash
Ge0rG, wasn't that cursed?
-
gooya
> https://www.oracle.com/cloud/free/ -> "Up to 4 instances of ARM Ampere A1" > Well, it's Oracle, so you never know... What is up with oracle? Did i miss something?
-
Ge0rG
Zash: I don't know. They migrated my instance once, does that count as cursed?
-
rob
So I lied unintentionally, prices went up a bit since I grabbed a few. But rack nerd has 1.5gb ram 2 vcpu with 20gb disk for $16 a year. I got in for $10 something but it is only 1gb ram and a single CPU. https://lowendbox.com/blog/racknerd-new-exclusive-low-end-box-offers-1-5gb-kvm-vps-from-16-55-year-in-los-angeles/
-
rob
It does renew at the same price though, so you get that deal until you delete the vps
-
gooya
> https://www.oracle.com/cloud/free/ -> "Up to 4 instances of ARM Ampere A1" > Well, it's Oracle, so you never know... This indeed looks promising for a free service, but what does 3000 ocpu hours mean?
-
gooya
How would something like that for example compare to netcup.de or rack nerd? Sorry if this is going too off-topic.
-
Ge0rG
gooya: it means you can run up to 4 CPU cores in parallel permanently
-
william.chatner
ip-projects.de I have no affiliation with them but i am very pleased with their service and prices. (but your oracle examples are still chaeper)
-
rob
I'm getting the urge to buy more vps.. I haven't tried arm yet
-
Ge0rG
you can't buy a vps, you can only rent it
-
rob
I was just thinking that after I put my phone down. Like whats a better word? Lease, buy, subscribe to
-
Martin
Rent?
-
Martin
But I also see often people 'buy' domains.
-
Ge0rG
people also buy netflix.
-
Martin
Elons new victim?
-
Zash
Ownership is imaginary anyway, so call it "buy" all you want.
-
william.chatner
You also "buy" a pizza, but dont own it forever (when you eat it)
-
moparisthebest
gooya: I think you are saying "reverse proxy" when you mean "multiplexing" ? ie you want all services listening on the same port right?
-
moparisthebest
https://wiki.xmpp.org/web/Tech_pages/XEP-0368 has essentially the exact sslh config I use to accomplish that
-
gooya
> gooya: I think you are saying "reverse proxy" when you mean "multiplexing" ? ie you want all services listening on the same port right? Yes that is what I meant. Sorry still learning sone terms.
-
ernst.on.tour
Whats about a free VPS ? Euserv.com offer one. 1Core 1GB 10GB HDD 1 IPv6 at 1GBit additional cost 1€ per 1 IPv4 It's a little one, but to do some test ? Full ssh and possibillity to sslh each port
-
@bkil:matrix.org
You mean this one? Is it free perpetually? https://www.euserv.com/en/virtual-private-server/root-vserver/v2/vs2-free.php
-
Ge0rG
I'm not sure how usable a VPS is without IPv4
-
@bkil:matrix.org
Do they offer NAT?
-
Ge0rG
No idea, but you most probably can't NAT incoming connections to your server
-
@bkil:matrix.org
I've seen an offer like that in the past for $0.29/month where they gave you IPv6 and 20 IPv4 NAT port forwards along with 1 ssh port.
-
@bkil:matrix.org
The 128MB plan is out of stock, but you can check it here (no endorsement) https://hosting.gullo.me/order/main/packages/nat-ipv4-vps-de/?group_id=5
-
Ge0rG
were you able to choose the external ports?
-
@bkil:matrix.org
I've got a VPS elsewhere, so I didn't try.
-
@bkil:matrix.org
Surely all people on a given hardware share the same ports, so at most it could be a first come first serve basis, but at best you could choose random ports.
-
@bkil:matrix.org
If I operated such a service, I'd probably just allocated it sequentially by container ID - sounds less complicated.
-
Ge0rG
you can choose static random ports for an xmpp server thanks to SRV, but not for http uploads
-
@bkil:matrix.org
No way you could get port 80/443 on such a construct, though.
-
moparisthebest
Ge0rG: why not? The XMPP server sends the http upload url along with the port?
-
@bkil:matrix.org
It would be interesting if someone offered such a VPS with a combined construct of also providing for a vhost web server that could forward all requests to the right port based on the Host HTTP request header, though.
-
Ge0rG
moparisthebest: sorry, this whole discussion originated from somebody who wasn't able to allocate ports and wanted "nice" URLs
-
moparisthebest
Oh right, well such a service could just multiplex everything TLS with SNI and send it to the proper backend server
-
Ge0rG
TLS-SNI-ALPN everything! You can have the whole datacenter behind a single port!
-
@bkil:matrix.org
Matrix also supports well-known - you could set it up on free static web hosting that could point to your ugly subdomain and port number as well.
-
@bkil:matrix.org
There exist a ridiculous number of free PHP hosting providers to this day. Would it be feasible to implement an XMPP server on such a platform? (Although, the terms of service of most explicitly prohibit running "chat" services due to the high number of requests per hour involved)
-
@bkil:matrix.org
https://github.com/bkil/freedom-fighters/blob/master/hu/free-paas-dynamic-web-hosting.md
-
moparisthebest
Kinda, but why when you can get a real VPS for dollars?
-
@bkil:matrix.org
It's an artistic thing - you wouldn't understand 🙊 (But _I_ already have a ~$1/month VPS running)
-
@bkil:matrix.org
It was a long time since I scrolled through the standard. Are there any tweaks that could enable reducing the hourly request count of clients to reduce server load? A kind of setting about polling/reconnection frequency?
-
Menel
Thats not part of the standard iirc. So yes, its tweakable. Need a client that doesn't ping much, and a server that holds the connection open. If nothing happens, then there is no traffic. Its just TCP
-
@bkil:matrix.org
Most providers have a response timeout between 30-90s, though. And conceptually, properly cached polling every minute should tie up much less server side resources (for <0.2s computation) than keeping the PHP interpreter loaded there for a full minute at a time from a resource sharing standpoint (even if it worked). Most such providers using CloudLinux also have a limit on entry processes, so about 10 concurrent requests can be open at a time. That means up to 10 clients talking on localhost or 5 clients + 5 federation sockets, etc.
-
@bkil:matrix.org
This is the concept behind why serverless functions are also billed on the product of time and peak resident memory use.
-
@bkil:matrix.org
If we assume to fork one of the existing web clients, I think we could plausibly tweak it from client side as well. Though, I imagine that people like installed apps better.
-
ernst.on.tour
@bkil:matrix.org: > It would be interesting if someone offered such a VPS with a combined construct of also providing for a vhost web server that could forward all requests to the right port based on the Host HTTP request header, though. You will get a clean server, it is on your side to fill him with life I've ordered s.th. like that a few years ago, install prosody, install sslh and it is up and running. Some month later I need to pimp up prosody to offer vservers where each one got is own certificate. Not a single big one, each vserver got its own. Additional a little bit config in sslh and each vserver gots his own uploadport. Its your turn to make. 😉
-
moparisthebest
@bkil:matrix.org: are you talking about no s2s connections?
-
moparisthebest
Otherwise how do you make those and keep them open from PHP
-
nuegia.net
that's illegal
-
nuegia.net
you can't just offer a good product, no strings attached
-
nuegia.net
you gotta block all users not using google chrome
-
nuegia.net
or inject spyware and adware into your product
-
nuegia.net
get with the times man
-
nuegia.net
who do you think you are?
-
gooya
Yeah, really get along with the current way of doing online business. Harvest and sell data to operate successfully.
-
@bkil:matrix.org
> <moparisthebest> Otherwise how do you make those and keep them open from PHP Good question. Again, some kind of batching and rate limiting would be nice to have so they wouldn't be open all the time either, but I guess that won't play well with other servers. I guess if we were able to federate with 5 servers and serve 30 local users at the same time it would still be better than nothing.