-
Roi
moparisthebest, the old admin of jabber.de used sslh. It was quite a pain until it worked okay.
-
Roi
moparisthebest, these are the old DNS SRV records refering to 5223: _xmpp-client._tls._tcp.openim.de. 60 IN SRV 5 0 5223 openim.de. _xmpps-client._tcp.openim.de. 60 IN SRV 10 0 5223 openim.de. _xmpps-client._tcp.openim.de. 60 IN SRV 5 0 5223 openim.de.
-
Roi
Never heard of _tls._tcp. btw... You?
-
Maranda
Sounds bogus to me
-
Maranda
there's _xmpp-client and _xmpps-client for direct tls
-
Maranda
also there's a duplicated direct tls entry pointing to the very same host which makes no sense.
-
Roi
Maranda, the new records should be 100% okay.
-
Roi
Anyway, a lot of people seem to connect to port 5223, not using direct tls.
-
Maranda
Roi: not sure about the actual configuration of Prosody listeners, but you need to give time for changes to propagate and cached records to actually expire
-
Maranda
Anyways
-
Roi
Maranda, sure I know. But we switched to the new server on March 30th. I know no TTLs which last so long. And as you see above, the TTLs were set to 60 seconds before.
-
Menel
I guess they used clients that specified the port manually
-
Roi
Menel, yes that is also my guess. And that seem to be many. A few clients cannot login so frequently to this port and generete all these errors. Maybe spam scripts? No idea...
-
Menel
Yes, beside a short info text about the changed port on your website there isn't much to do I guess
-
Martin
Maybe move xmpps-client to 443 or some other port and close 5223 after a while (give some time for DNS) if you want to get rid of the error spam in your logs.
-
Menel
It is already on 443 too
-
Menel
and xmpp-client on 80 too, quite robust
-
Martin
Roi: > Bei uns wird der Port 5223 (im Gegensatz zum alten openim.de Server) nur für SSL und nicht TLS verwendet. You should also fix this. '…für "Direct TLS" und nicht "STARTTLS"…'
-
Roi
Menel, > Yes, beside a short info text about the changed port on your website there isn't much to do I guess https://jabber.hot-chilli.net/2023/03/30/openim-de/
-
Roi
Martin, I won't change the current ports for the new vhost. The other vhosts have a lot more users. I did not see this as a problem because of SRV records. These are there for a reason. But surprise, a lot of users like it the old-fashioned way and do a manual setup.
-
Roi
Menel, > It is already on 443 too > and xmpp-client on 80 too, quite robust Yes. As we have a second IP and I do not need these ports for web, we offer these ports for users who are behind firewalls. No idea if this is still needed, but it helped people a lot 15-10 years ago when I talked a lot to people about that setup.
-
Roi
> You should also fix this. '…für "Direct TLS" und nicht "STARTTLS"…' Yes, thank you. On the server specs page I also still have SSL - as this was the term for a long time. ;-)
-
Roi
Done
-
Roi
But that won't reduce the hammering login tries. ;-)
-
moparisthebest
> _xmpp-client._tls._tcp.openim.de. 60 IN SRV 5 0 5223 openim.de. Maranda, Roi: the original draft of xep 368 had _xmpp-client._tls.domain instead of _xmpps-client._tcp.domain but that one just seems like a mistake
-
ibikk
Establishing a secure connection from jotwewe.de to p2.siacs.eu failed. Certificate hash: b0b50b70971d48aa46db72b2c4fd1f218c8caec9. Error with certificate 0: certificate has expired.
-
Roi
As this came up here, does somebody have an up to date howto for sslh? I found several howtos, but all very old. And came up with this: DAEMON_OPTS="--user sslh -n --transparent --listen ipv4:5223 --listen ipv6:5224 --xmpp 127.0.0.1:5222 --tls 127.0.0.1:5223 --pidfile /var/run/sslh/sslh.pid" This does not work as Prosody sits on 5223. Is there an option to tell Prosody to only listen to port 5223 on localhost without affecting the other ports Prosody is listening to? Also, do I still need to adjust sysctl.conf and iptables?
-
Licaon_Kter
Roi: use a config file you cave man
-
Licaon_Kter
Transparent is a pain to setup, in my experience.
-
Menel
> This does not work as Prosody sits on 5223. Just change the ports in one of the services... Why would you want to listen on the same port with both services? Ipv4 and 6 have different ports? That sounds all so wrong. There is a snippet of config somewere on xmpp.org iirc.. Or somewhere
-
Menel
https://wiki.xmpp.org/web/Tech_pages/XEP-0368#sslh
-
moparisthebest
Yep that's the latest, I have transparent working but it involves so many iptables rules and routing tables etc it's impossible for me to show :/
-
jacob.eva
Any British people here who know about the online safety bill? This is a serious threat to XMPP server operators right?
-
Roi
Well the transparent setup is what I want here if I go this path...
-
Roi
> > This does not work as Prosody sits on 5223. > Just change the ports in one of the services... > Why would you want to listen on the same port with both services? > Ipv4 and 6 have different ports? That sounds all so wrong. There is a snippet of config somewere on xmpp.org iirc.. Or somewhere Maybe you did not follow my problem here. The server just runs fine. But the new vhost (users) are used to a different setup. And I won't change the traditional setup. But I am willing to expand it.
-
Trung
Roi, there's xmpp:prosody@conference.prosody.im?join
-
Roi
Trung, sure I know this room. ;-) But discussion was going on here. ;-)
-
Trung
Roi, forgive me if i'm getting this wrong but I see there are people running bleeding edge distro complaining debian (my distro) is too old and then there're people of openim.de who can't switch to starttls for some unknown reason and you want to support their doing?
-
Roi
Trung, I want to be userfriendly. Also the prosody.log is bugging me where I see 100+ messages per second about unsupported protocol... This also takes a lot of resources, at least I believe so.
-
Roi
Debian? :-) Just upgraded the server to Bullseye. I win the antique prize. ;-)
-
edhelas
Archeodistrology
-
edhelas
An Arch user just died because of you :'(
-
Trung
moparisthebest, edhelas said you died
-
moparisthebest
Wasn't me this time 😅
-
moparisthebest
Roi: https://github.com/yrutschle/sslh/blob/master/doc/tproxy.md is probably what you want, going to have to have prosody listen on different ports, and set up all these rules, good luck :/
-
moparisthebest
This is one of the reasons xmpp-proxy doesn't mess with these shenanigans, it just passes the IP directly to prosody with the PROXY protocol
-
Harper
Does anyone have stats on how many public xmpp servers do or don't support ipv6?
-
Harper
A lot of hosts will drop $2 off price to forgo ipv4, wondering if that is viable
-
moparisthebest
Probably not
-
Roi
moparisthebest, thank you, I will take a look into it. But at the moment, my entusiasm is already been down again... ;-)