moparisthebest, the old admin of jabber.de used sslh. It was quite a pain until it worked okay.
mischaelhas left
Menelhas joined
Friendly Resident Cynichas left
Friendly Resident Cynichas joined
etaurushas left
PingufromWoodquarter (xmpp.pingu.at)has left
Roi
moparisthebest, these are the old DNS SRV records refering to 5223:
_xmpp-client._tls._tcp.openim.de. 60 IN SRV 5 0 5223 openim.de.
_xmpps-client._tcp.openim.de. 60 IN SRV 10 0 5223 openim.de.
_xmpps-client._tcp.openim.de. 60 IN SRV 5 0 5223 openim.de.
rosshas left
Roi
Never heard of _tls._tcp. btw... You?
PingufromWoodquarter (xmpp.pingu.at)has joined
Marandahas joined
Maranda
Sounds bogus to me
Maranda
there's _xmpp-client and _xmpps-client for direct tls
Maranda
also there's a duplicated direct tls entry pointing to the very same host which makes no sense.
Caesarhas left
Caesarhas joined
jajhas joined
rosshas joined
Roi
Maranda, the new records should be 100% okay.
Roi
Anyway, a lot of people seem to connect to port 5223, not using direct tls.
bsqjxdhas left
bsqjxdhas joined
Steven Roosehas joined
bsqjxdhas left
mischaelhas joined
gooyahas joined
bsqjxdhas joined
Caesarhas left
Sirrdghas left
Sirrdghas joined
Guushas left
jzmartinhas joined
mischaelhas left
mischaelhas joined
mischaelhas left
mischaelhas joined
mischaelhas left
mischaelhas joined
Dead Headhas left
Dead Headhas joined
Dead Headhas left
mischaelhas left
mischaelhas joined
Dead Headhas joined
mischaelhas left
Dead Headhas left
iirohas left
Maranda[x]has left
Maranda[x]has joined
mischaelhas joined
mischaelhas left
mischaelhas joined
mischaelhas left
mischaelhas joined
inkyhas left
mischaelhas left
ororohas left
mischaelhas joined
karmehas left
karmehas joined
Djangohas joined
Steven Roosehas left
mischaelhas left
homebeachhas left
homebeachhas joined
Abbehas joined
mischaelhas joined
mischaelhas left
mischaelhas joined
mischaelhas left
mischaelhas joined
Maranda
Roi: not sure about the actual configuration of Prosody listeners, but you need to give time for changes to propagate and cached records to actually expire
Maranda
Anyways
Dead Headhas joined
Dead Headhas left
Dead Headhas joined
mischaelhas left
Peter Waherhas left
Djangohas left
Roi
Maranda, sure I know. But we switched to the new server on March 30th. I know no TTLs which last so long. And as you see above, the TTLs were set to 60 seconds before.
Menel
I guess they used clients that specified the port manually
Guushas joined
Djangohas joined
Caesarhas joined
inkyhas joined
jchas left
jchas joined
xsohas left
xsohas joined
balabol.imhas left
Caesarhas left
Caesarhas joined
etaurushas joined
rosshas left
balabol.imhas joined
rosshas joined
dora71has left
dora71has joined
rosshas left
Peter Waherhas joined
rosshas joined
rosshas left
inkyhas left
inkyhas joined
inkyhas left
inkyhas joined
jajhas left
eevvoorhas left
Abbehas left
eevvoorhas joined
1113has joined
mischaelhas joined
balabol.imhas left
balabol.imhas joined
Roi
Menel, yes that is also my guess. And that seem to be many. A few clients cannot login so frequently to this port and generete all these errors.
Maybe spam scripts? No idea...
hotaruhas left
hotaruhas joined
djorzhas joined
Menel
Yes, beside a short info text about the changed port on your website there isn't much to do I guess
Martin
Maybe move xmpps-client to 443 or some other port and close 5223 after a while (give some time for DNS) if you want to get rid of the error spam in your logs.
Caesarhas left
Caesarhas joined
etaurushas left
Menel
It is already on 443 too
Menel
and xmpp-client on 80 too, quite robust
Martin
Roi:
> Bei uns wird der Port 5223 (im Gegensatz zum alten openim.de Server) nur für SSL und nicht TLS verwendet.
You should also fix this. '…für "Direct TLS" und nicht "STARTTLS"…'
Caesarhas left
Caesarhas joined
Roi
Menel,
> Yes, beside a short info text about the changed port on your website there isn't much to do I guess
https://jabber.hot-chilli.net/2023/03/30/openim-de/
Roi
Martin, I won't change the current ports for the new vhost. The other vhosts have a lot more users.
I did not see this as a problem because of SRV records. These are there for a reason. But surprise, a lot of users like it the old-fashioned way and do a manual setup.
papatutuwawahas left
Roi
Menel,
> It is already on 443 too
> and xmpp-client on 80 too, quite robust
Yes. As we have a second IP and I do not need these ports for web, we offer these ports for users who are behind firewalls. No idea if this is still needed, but it helped people a lot 15-10 years ago when I talked a lot to people about that setup.
xsohas left
Roi
> You should also fix this. '…für "Direct TLS" und nicht "STARTTLS"…'
Yes, thank you. On the server specs page I also still have SSL - as this was the term for a long time. ;-)
djorzhas left
xsohas joined
mischaelhas left
kahlbhas left
kahlbhas joined
Roi
Done
Roi
But that won't reduce the hammering login tries. ;-)
Steven Roosehas joined
RTGhas joined
iirohas joined
jajhas joined
mischaelhas joined
rosshas joined
rosshas left
ewagnerhas left
ewagnerhas joined
papatutuwawahas joined
mischaelhas left
iirohas left
jchas left
rosshas joined
Ingolfhas left
Ingolfhas joined
rosshas left
iirohas joined
eevvoorhas left
eevvoorhas joined
etaurushas joined
barlashas left
barlashas joined
moparisthebest
> _xmpp-client._tls._tcp.openim.de. 60 IN SRV 5 0 5223 openim.de.
Maranda, Roi: the original draft of xep 368 had _xmpp-client._tls.domain instead of _xmpps-client._tcp.domain but that one just seems like a mistake
RTGhas left
Arnehas left
Calvinhas joined
myjabber1337has left
Arnehas joined
jchas joined
rosshas joined
Caesarhas left
dora71has left
rosshas left
rosshas joined
dora71has joined
rosshas left
dora71has left
dora71has joined
iirohas left
dora71has left
dora71has joined
rosshas joined
1113has left
mrdoctorwhohas left
mrdoctorwhohas joined
rosshas left
Steven Roosehas left
Steven Roosehas joined
iirohas joined
robhas left
robhas joined
djorzhas joined
myjabber1337has joined
iirohas left
nawhas joined
xihas left
Calvinhas left
rosshas joined
millesimushas left
william.chatnerhas joined
iirohas joined
rosshas left
millesimushas joined
jgarthas joined
jchas left
jchas joined
heartyhas left
jgarthas left
heartyhas joined
Chris Machas left
Chris Machas joined
resolihas left
resolihas joined
dora71has left
dora71has joined
dora71has left
xihas joined
dora71has joined
dora71has left
dora71has joined
jajhas left
dora71has left
dora71has joined
dora71has left
dora71has joined
jajhas joined
jzmartinhas left
jzmartinhas joined
allbombsonhas left
djorzhas left
WojtekIMhas joined
Wojtekhas joined
jajhas left
jgarthas joined
papatutuwawahas left
waelhas left
jajhas joined
rosshas joined
waelhas joined
1113has joined
snowhas joined
papatutuwawahas joined
rosshas left
etaurushas left
mettahas left
rosshas joined
ibikk
Establishing a secure connection from jotwewe.de to p2.siacs.eu failed. Certificate hash: b0b50b70971d48aa46db72b2c4fd1f218c8caec9. Error with certificate 0: certificate has expired.
benhas left
jgarthas left
waelhas left
rosshas left
Amolithhas left
resolihas left
resolihas joined
rosshas joined
dora71has left
dora71has joined
froghas left
rosshas left
benhas joined
rosshas joined
rosshas left
sonnyhas left
waelhas joined
rosshas joined
rosshas left
rosshas joined
rosshas left
ororohas joined
rosshas joined
rosshas left
sonnyhas joined
Amolithhas joined
resolihas left
1113has left
Abbehas joined
rosshas joined
ZeoZ olikishas left
ZeoZ olikishas joined
Abbehas left
rosshas left
ororohas left
stpeterhas joined
jgarthas joined
ijhas left
Laozihas left
hotaruhas left
hotaruhas joined
1113has joined
Roihas left
quantumwingshas left
RTGhas joined
kbt100has joined
rosshas joined
stvnhas left
rosshas left
jgarthas left
rosshas joined
rosshas left
snowhas left
ijhas joined
papatutuwawahas left
rosshas joined
rosshas left
kmhas joined
rosshas joined
rosshas left
Roihas joined
Roihas left
Roihas joined
Roihas left
Roihas joined
quantumwingshas joined
p42ityhas left
1113has left
Roi
As this came up here, does somebody have an up to date howto for sslh?
I found several howtos, but all very old. And came up with this:
DAEMON_OPTS="--user sslh -n --transparent --listen ipv4:5223 --listen ipv6:5224 --xmpp 127.0.0.1:5222 --tls 127.0.0.1:5223 --pidfile /var/run/sslh/sslh.pid"
This does not work as Prosody sits on 5223. Is there an option to tell Prosody to only listen to port 5223 on localhost without affecting the other ports Prosody is listening to? Also, do I still need to adjust sysctl.conf and iptables?
Licaon_Kter
Roi: use a config file you cave man
Licaon_Kter
Transparent is a pain to setup, in my experience.
papatutuwawahas joined
rosshas joined
henrikhas left
naveesromhas left
etaurushas joined
naveesromhas joined
Menel
> This does not work as Prosody sits on 5223.
Just change the ports in one of the services...
Why would you want to listen on the same port with both services?
Ipv4 and 6 have different ports? That sounds all so wrong. There is a snippet of config somewere on xmpp.org iirc.. Or somewhere
Yep that's the latest, I have transparent working but it involves so many iptables rules and routing tables etc it's impossible for me to show :/
rosshas left
rosshas joined
rosshas left
rosshas joined
Laozihas joined
SouLhas left
rosshas left
John has left
RTGhas left
John has joined
SouLhas joined
stpeterhas left
antranigvhas left
rosshas joined
jgarthas joined
rosshas left
rosshas joined
rosshas left
Hugohas joined
Chris Machas left
Chris Machas joined
Hugohas left
antranigvhas joined
moparisthebesthas left
moparisthebesthas joined
antranigvhas left
djorzhas joined
kristoffhas left
rosshas joined
Chris Machas left
diyarhas left
greyhas left
greyhas joined
diyarhas joined
rosshas left
rosshas joined
rosshas left
rosshas joined
RTGhas joined
rosshas left
rosshas joined
rosshas left
kristoffhas joined
rosshas joined
rosshas left
ororohas joined
rosshas joined
rosshas left
jacob.evahas joined
jacob.eva
Any British people here who know about the online safety bill? This is a serious threat to XMPP server operators right?
jgarthas left
rosshas joined
rosshas left
snowhas left
Chris Machas joined
RTGhas left
Thomashas left
Roi
Well the transparent setup is what I want here if I go this path...
resolihas joined
SouLhas left
Roi
> > This does not work as Prosody sits on 5223.
> Just change the ports in one of the services...
> Why would you want to listen on the same port with both services?
> Ipv4 and 6 have different ports? That sounds all so wrong. There is a snippet of config somewere on xmpp.org iirc.. Or somewhere
Maybe you did not follow my problem here. The server just runs fine. But the new vhost (users) are used to a different setup. And I won't change the traditional setup. But I am willing to expand it.
Trung, sure I know this room. ;-) But discussion was going on here. ;-)
Thomashas joined
WojtekIMhas left
Wojtekhas left
resolihas left
p55shas left
gooyahas left
1113has joined
jzmartinhas left
SouLhas joined
p42ityhas left
snowhas joined
Trung
Roi, forgive me if i'm getting this wrong but I see there are people running bleeding edge distro complaining debian (my distro) is too old and then there're people of openim.de who can't switch to starttls for some unknown reason and you want to support their doing?
eevvoorhas left
Roi
Trung, I want to be userfriendly. Also the prosody.log is bugging me where I see 100+ messages per second about unsupported protocol... This also takes a lot of resources, at least I believe so.
Roi
Debian? :-) Just upgraded the server to Bullseye. I win the antique prize. ;-)
edhelas
Archeodistrology
edhelas
An Arch user just died because of you :'(
xihas left
Trung
moparisthebest, edhelas said you died
xihas joined
moparisthebest
Wasn't me this time 😅
moparisthebest
Roi: https://github.com/yrutschle/sslh/blob/master/doc/tproxy.md is probably what you want, going to have to have prosody listen on different ports, and set up all these rules, good luck :/
ZeoZ olikishas left
moparisthebest
This is one of the reasons xmpp-proxy doesn't mess with these shenanigans, it just passes the IP directly to prosody with the PROXY protocol
Harper
Does anyone have stats on how many public xmpp servers do or don't support ipv6?
Harper
A lot of hosts will drop $2 off price to forgo ipv4, wondering if that is viable
WojtekIMhas joined
Wojtekhas joined
rosshas joined
rosshas left
carloshas left
carloshas joined
froghas joined
moparisthebest
Probably not
ZeoZ olikishas joined
TheCoffeMakerhas left
TheCoffeMakerhas joined
kahlbhas left
p42ityhas joined
jzmartinhas joined
p42ityhas left
Abbehas joined
millesimushas left
WojtekIMhas left
Wojtekhas left
Steven Roosehas left
Steven Roosehas joined
millesimushas joined
rosshas joined
rosshas left
balabol.imhas left
ibikkhas left
jgarthas joined
Wojtekhas joined
WojtekIMhas joined
SouLhas left
John has left
Abbehas left
John has joined
Abbehas joined
jgarthas left
SouLhas joined
ZeoZ olikishas left
snowhas left
Menelhas left
rosshas joined
dora71has left
rosshas left
rosshas joined
rosshas left
rosshas joined
allbombsonhas joined
ZeoZ olikishas joined
snowhas joined
rosshas left
miruxhas left
rosshas joined
rosshas left
bsqjxdhas left
podhas left
bsqjxdhas joined
Menelhas joined
Abbehas left
Menelhas left
Menelhas joined
kristoffhas left
nawhas left
msavoritiashas left
millesimushas left
karmehas left
froghas left
stpeterhas joined
millesimushas joined
kristoffhas joined
marc0shas left
marc0shas joined
resolihas joined
rosshas joined
nicocohas left
nicocohas joined
nicocohas left
nicocohas joined
rosshas left
rosshas joined
stpeterhas left
nicocohas left
millesimushas left
rosshas left
kristoffhas left
John has left
Abbehas joined
resolihas left
millesimushas joined
jchas left
Roi
moparisthebest, thank you, I will take a look into it. But at the moment, my entusiasm is already been down again... ;-)