XMPP Service Operators - 2024-02-19

nlnet.nl XMPP server works fine again

They suffered from a configuration issue in the distribution that they used. Should be permanently fixed.

Yup, just heard that from my contact there.

Hi there, does anyone know how resource requirements (load, memory, storage) compare between an XMPP server and an IRC server for lets say 100 users chatting with 400 characters per minute simultaneously. What's the ressource ratio?

Why deploy IRC in $CURRENTYEAR? :)

An RPi1/256Mb can support 100 users doing XMPP things... I guess maybe more IRC lol

I recently looked at The IRC book from 2000 and it was talking about running an IRC server on 8MB (!) memory, AFAIK.

Shiny Rhino, I have no numbers, but might be a good question whether you mean the old IRC or the new IRCv3.

ircv3

i have read that matrix is terrible wrt ressource use with 5GB memory for a handful of users (cf disroot page).

> Why deploy IRC in $CURRENTYEAR? :) ... because it uses minimal ressouces per user.

Shiny Rhino: as always, 'it depends'. XMPP servers can often run well on pretty low resources.

What's low ressouces, eg for a company of 500 users?

I guess when it comes to XMPP it is also a question of how many options you turn on or off.

Your mileage will vary enormously depending on usage patterns, software used, etc, but I'd expect you'd look at numbers in the hundred, maybe single-digit gigabytes of RAM.

text with OMEMO encyption is enough

XMPP does not suffer from the resource usage explosion that you read about for some Matrix servers - there's no worry of that. I do not know how it compares to IRC.

so a 2GB instance for xmpp for 500 users would be worth a start?

If you can easily scale up and down your resources, that could be a good place to start, yes.

again, your mileage will vary enourmously

any recommendations which server to use for someone who has setup an irc server but is new to xmpp? ✏

hehe, you're talking to a server dev :D

What’s the biggest XMPP server we know about and its resource use? :)

My mileage will not vary if we standardize the usecase. Studies needed.

WhatsApp, but they won't tell us ;)

Fortnite possibly? Grinder?

Eve Online too

anyway, as for server recommendations: mine (Openfire) is _obviously_ the best (although many here will disagree ;) ). Common choices are Prosody/Snikket and eJabberd

prosody is extremely lightweight on resources

in particular in small setups

There's a listing of server software on https://xmpp.org/software/

Shiny Rhino, 500 users online at the same time should be absolutely no issue with 2 GiB of RAM, when running Prosody. ✏

> Shiny Rhino, 500 users online at the same time should be absolutely no issue with 2 GiB of RAM, when running Prosody. Sounds great!

Thanks, for the moment. let me know if you have some new info on ressource use! Qapla'

Shiny Rhino, you can see some metrics from a real server (with a slightly higher user count) here: https://stats.jabberfr.org/d/000000002/jabberfr?orgId=1&refresh=1m

MattJ, Thanks, I found a recommendation for IRC server by IONOS which recommends VPS M (2vcores, 4GB) for 100 users, which looks like an overkill to sell their stuff: https://www.ionos.com/digitalguide/server/know-how/irc-server/

oh god and then they build inspircd from source

> WhatsApp, but they won't tell us ;) tried asking? ↺

They deny using XMPP :)

> prosody is extremely lightweight on resources my prosody instance loves eating CPU, but memory wise its low ↺

(which is only half a lie, it's far from standard XMPP these days)

> They deny using XMPP :) How did you even contact them? ↺

I would have expected "f*ck off"

Folk from WhatsApp occasionally pop up in places

aha you got to remember they probably signed an NDA

and also their human rights away

and also put their entire family down as collateral if they leak IP

» [05:59:39] <jonas’> prosody is extremely lightweight on resources Can confirm. Prosody takes up less system resources than *checks htop* everything.

Until people start sending messages and stuff

Lua is light but not fast... at least not in my experiences with it.

While people are sending messages.

I just checked on my active server connected to many other instances, recieving and sending messages. Runs on less resources than my internal tor daemon.

"fast" is always relative, without a frame of reference, it's useless

> I just checked on my active server connected to many other instances, recieving and sending messages. Runs on less resources than my internal tor daemon. tor is doing crypto of course it will be resource intensive ↺

in fact tor needs beefy servers to perform well... onion routing is far from efficient resource wise

Yes but my tor daemon is literally doing nothing right now.

Prosody uses crypto too

Old term, tls

Also I think it's rather "fast" beeing used for games.... Needs to not be slow..

I know we can all agree any XMPP server is better than running any Matrix servers. Those things want you to feed them RAM sticks daily. ✏

> Prosody uses crypto too TLS ↺

not encrypting a payload 3 times with different keys

hence "onion"

> not encrypting a payload 3 times with different keys _possibly even more times_ ↺

It's running better than my currently inactive spamd.

Less CPU, less RAM.

There is your example of an efficient and performant server.

would need solid benchmarks to find the truth here.

but in my experience prosody went nom nom on my CPU

Yes, perhaps. Unfortunately, I do not wish to perform such benchmarks on my production server.

Testing in production is 100% safe...

_totally_

I'm too busy using my huge bandwidth to fend off ddos attacks.

Then procrastinating adding ddos protection.

> I'm too busy using my huge bandwidth to fend off ddos attacks. huge bandwidth? ↺

> Then procrastinating adding ddos protection. ddos protection involves feeding your packets to big companies ↺

I rather be hit with a DDOS

No, not that kind of ddos protection.

soooo. IP blocking?

I guess but more automatic and does the job for me.

i r b0t

Can somebody tell BobEvans to ping me, pls tnx

> Polarian: > 2024-02-19 01:04 (EST) > huge bandwidth? > ddos protection involves feeding your packets to big companies > I rather be hit with a DDOS You can put a reverse proxy in a big data center or a router and do your filtering there but keep tls intact. Filter the big stuff on the cloud then run layer 7 inspection on the prefiltered traffic on your own secure hardware after decryption

Okay NERD

> You can put a reverse proxy in a big data center or a router and do your filtering there but keep tls intact. Filter the big stuff on the cloud then run layer 7 inspection on the prefiltered traffic on your own secure hardware after decryption They can still hop your traffic

remember they have full access to the data on your server

Then use your fine grained senors to update the big firewall in the cloud

that certificate, they can see it

jabber.ru was a MITM attack, and that was unavoidable

you can't prevent a datacentre from compromising you

That's what encryption is for.

encryption isn't a silver bullet

and the certificates can still be compromised

Tls runs over tcp, tcp can be related regardless of the payload within

you are forgetting the big factor here

you are running it on THEIR hardware

they have full access to it

No

nothing stops them yanking the certificate key

unless you FDE... but its not always possible with cloud providers

You run your application servers on your own hardware. Then you run your proxy servers or routers in the cloud

yes...

they can backdoor the reverse proxy

and because the reverse proxy decrypts then reencypts

they yank the packets that way

No that's a tls terminating proxy

so you want to encapsulate it

I'm talking about a tcp proxy

ohhh

Tls is already encapsulated in tcp

I was just gonna use BasedFlare.

ok that could feasibly work, but it doesn't stop them filtering the packets out

What?

tls encrypts the payload

thats it

nothing stops them from filtering the packet

plus they still get the metadata 🙃

how many packets your server is getting

where from

Nothing stops them in any case.. Grabbing it at the big central internet nodes.

how often

😉

Nothing stopping your ISP from your metadata either.

Don't need a data center

You want packet filtering, the whole purpose is ddos filtering right?

> Nothing stopping your ISP from your metadata either. Indeed

I am mainly just showing its pointless

It's not pointless.

It wasn't.

_plus the added latency_

It has purpose but you are missing the point.

plus more points of failure ✏

First define your scope. I thought this was about ddos filtering. Now it seems to be about internet snooping?

Yeah, it got off track.

Not a surprise considering I am barely able to keep my eyes open

maybe I need another monster...

> Polarian: > 2024-02-19 02:09 (EST) > plus more points of failure True but just add redundancy. You can use VRRP

This man sleep sysadmins.

That's what it's for

If you don't like VRRP openbsd has carp

> True but just add redundancy. You can use VRRP Ever heard simpler is better?

You are running a XMPP server here

not a mission critical datacentre where people will die if you are knocked out

I love these four letter acronyms all around.

What is the alternative? Getting ddosed?

> What is the alternative? Getting ddosed? Yes

You can over-engineer ddos protection.

they give up eventually

It's not like I'm being attacked by the infamous hacker group known as 4chan.

All DDOS protection is, is dropping packets on thick fibre

nothing stops them overloading your ddos protection

you are almost never immune

> If you don't like VRRP openbsd has carp Wirlaburla VRRP is Virtual Redundant Router Protocol, and carp is OpenBSD's protocol to provide a fallback router

I'm not sure this discussion is in good faith anymore

carp keeps pf rules synced

> I'm not sure this discussion is in good faith anymore How so...

Its not malicious... or intended to be malicious

Every time a solution is presented the scope changes

yeah that sums me up...

what was the original point?

Soo you're arguing about stuff you don't know the point of?

no... I am getting lost in something off topic

ok original topic, feeding big companies your packets

that doesn't change either way

slap encryption into it, you only protect the payload

does it matter? probably not...

Cloudflare does TCP proxying already

so you could argue theres no difference here...

~apart from cloudflare being as trustworthy as someone putting a gun to your head~

Cockflare.

I guess doing the TCP proxying yourself _might_ have some benefit... such as being able to use any provider, and more provider freely without being vendor locked

The point was, to use ddos protection, one solution is to route tcp through a bug data enter and handle it there. There are alternatives to cloud flare. Share your data between vendors etc. Nobody said this can't have drawbacks and nobody said it would be the a solution for perfect privacy of metadata. But this goal was never mentioned

Its not always about privacy either... you are trusting their uptime, their server reliability and hoping they don't get congested. Furthermore you add more points of failure.

Yeah, things have pro and cons. Everyone needs to find out what's best for their use case

> The point was, to use ddos protection, one solution is to route tcp through a bug data enter and handle it there. > There are alternatives to cloud flare. Share your data between vendors etc. > Nobody said this can't have drawbacks and nobody said it would be the a solution for perfect privacy of metadata. > But this goal was never mentioned I think to sum it up... most people will just use cloudflare...

> Yeah, things have pro and cons. Everyone needs to find out what's best for their use case I guess its personal opinion

I have done email relaying before to bypass port restrictions

I got to tell you, it aint fun!

you have to check each hop to tell where you are losing emails... and I feel TCP proxying will be a similar problem

your server starts having network issues, you got to check the firewall, then your physical connection, then your provider, then the providers firewall etc etc

plus one point I tried to make, and one which I badly made, you don't know what ports/rules the provider will filter on their edge routers

they could well block ports like port 25 which you would need to ddos protect a email server

but it seems at this point I am just opposing the point simply to oppose it, I guess it isn't a terrible alternative if DDOS protection is something you value...

> You are running a XMPP server here > not a mission critical datacentre where people will die if you are knocked out Define mission critical...

>> You are running a XMPP server here >> not a mission critical datacentre where people will die if you are knocked out > Define mission critical... are people going to die? ↺

Which service should people use since that's like an ever growing threat? Telegram? Line? Viber? Signal? Because if you start this discussion in these terms... ✏

> Which service should people use since that's like an ever growing threat? Telegram? Line? Viber? Signal? Because if you start this discussion in these terms... when you run 911 on XMPP, then talk about the importance ↺

Ok, so we should never use any other service except the one that support 911. Why are you here exactly then?

> Ok, so we should never use any other service except the one that support 911. > > Why are you here exactly then? I'm a server operator... sorta :) ↺

> Polarian: > 2024-02-19 02:13 (EST) > carp keeps pf rules synced > How so... > Its not malicious... or intended to be malicious It's called sealioning

https://en.wikipedia.org/wiki/Sealioning

agris, Denial of service to human beings...

pretty strong allegation :)

Please stop messaging or pinging my name.

wait thats a catch 22... if I ping you then I have messaged, and I can't message because its one of the conditions...