XMPP Service Operators - 2024-02-19


  1. hook

    nlnet.nl XMPP server works fine again

  2. Guus

    They suffered from a configuration issue in the distribution that they used. Should be permanently fixed.

  3. hook

    Yup, just heard that from my contact there.

  4. Shiny Rhino

    Hi there, does anyone know how resource requirements (load, memory, storage) compare between an XMPP server and an IRC server for lets say 100 users chatting with 400 characters per minute simultaneously. What's the ressource ratio?

  5. Licaon_Kter

    Why deploy IRC in $CURRENTYEAR? :)

  6. Licaon_Kter

    An RPi1/256Mb can support 100 users doing XMPP things... I guess maybe more IRC lol

  7. Shiny Rhino

    I recently looked at The IRC book from 2000 and it was talking about running an IRC server on 8MB (!) memory, AFAIK.

  8. hook

    Shiny Rhino, I have no numbers, but might be a good question whether you mean the old IRC or the new IRCv3.

  9. Shiny Rhino

    ircv3

  10. Shiny Rhino

    i have read that matrix is terrible wrt ressource use with 5GB memory for a handful of users (cf disroot page).

  11. Shiny Rhino

    > Why deploy IRC in $CURRENTYEAR? :) ... because it uses minimal ressouces per user.

  12. Guus

    Shiny Rhino: as always, 'it depends'. XMPP servers can often run well on pretty low resources.

  13. Shiny Rhino

    What's low ressouces, eg for a company of 500 users?

  14. hook

    I guess when it comes to XMPP it is also a question of how many options you turn on or off.

  15. Guus

    Your mileage will vary enormously depending on usage patterns, software used, etc, but I'd expect you'd look at numbers in the hundred, maybe single-digit gigabytes of RAM.

  16. Shiny Rhino

    text with OMEMO encyption is enough

  17. Guus

    XMPP does not suffer from the resource usage explosion that you read about for some Matrix servers - there's no worry of that. I do not know how it compares to IRC.

  18. Shiny Rhino

    so a 2GB instance for xmpp for 500 users would be worth a start?

  19. Guus

    If you can easily scale up and down your resources, that could be a good place to start, yes.

  20. Shiny Rhino

    any recommendations which server to use for someone who has setup an irc server but is new to xmpp

  21. Guus

    again, your mileage will vary enourmously

  22. Shiny Rhino

    any recommendations which server to use for someone who has setup an irc server but is new to xmpp?

  23. Guus

    hehe, you're talking to a server dev :D

  24. hook

    What’s the biggest XMPP server we know about and its resource use? :)

  25. Shiny Rhino

    My mileage will not vary if we standardize the usecase. Studies needed.

  26. MattJ

    WhatsApp, but they won't tell us ;)

  27. Guus

    Fortnite possibly? Grinder?

  28. roughnecks

    Eve Online too

  29. Guus

    anyway, as for server recommendations: mine (Openfire) is _obviously_ the best (although many here will disagree ;) ). Common choices are Prosody/Snikket and eJabberd

  30. jonas’

    prosody is extremely lightweight on resources

  31. jonas’

    in particular in small setups

  32. Guus

    There's a listing of server software on https://xmpp.org/software/

  33. jonas’

    Shiny Rhino, 500 users online at the same time should be absolutely no issue with 2 GiB of RAM.

  34. jonas’

    Shiny Rhino, 500 users online at the same time should be absolutely no issue with 2 GiB of RAM, when running Prosody.

  35. Shiny Rhino

    > Shiny Rhino, 500 users online at the same time should be absolutely no issue with 2 GiB of RAM, when running Prosody. Sounds great!

  36. Shiny Rhino

    Thanks, for the moment. let me know if you have some new info on ressource use! Qapla'

  37. MattJ

    Shiny Rhino, you can see some metrics from a real server (with a slightly higher user count) here: https://stats.jabberfr.org/d/000000002/jabberfr?orgId=1&refresh=1m

  38. Shiny Rhino

    MattJ, Thanks, I found a recommendation for IRC server by IONOS which recommends VPS M (2vcores, 4GB) for 100 users, which looks like an overkill to sell their stuff: https://www.ionos.com/digitalguide/server/know-how/irc-server/

  39. jonas’

    oh god and then they build inspircd from source

  40. Polarian

    > WhatsApp, but they won't tell us ;) tried asking?

  41. MattJ

    They deny using XMPP :)

  42. Polarian

    > prosody is extremely lightweight on resources my prosody instance loves eating CPU, but memory wise its low

  43. MattJ

    (which is only half a lie, it's far from standard XMPP these days)

  44. Polarian

    > They deny using XMPP :) How did you even contact them?

  45. Polarian

    I would have expected "f*ck off"

  46. MattJ

    Folk from WhatsApp occasionally pop up in places

  47. Polarian

    aha you got to remember they probably signed an NDA

  48. Polarian

    and also their human rights away

  49. Polarian

    and also put their entire family down as collateral if they leak IP

  50. Wirlaburla

    » [05:59:39] <jonas’> prosody is extremely lightweight on resources Can confirm. Prosody takes up less system resources than *checks htop* everything.

  51. Polarian

    Until people start sending messages and stuff

  52. Polarian

    Lua is light but not fast... at least not in my experiences with it.

  53. Wirlaburla

    While people are sending messages.

  54. Wirlaburla

    I just checked on my active server connected to many other instances, recieving and sending messages. Runs on less resources than my internal tor daemon.

  55. moparisthebest

    "fast" is always relative, without a frame of reference, it's useless

  56. Polarian

    > I just checked on my active server connected to many other instances, recieving and sending messages. Runs on less resources than my internal tor daemon. tor is doing crypto of course it will be resource intensive

  57. Polarian

    in fact tor needs beefy servers to perform well... onion routing is far from efficient resource wise

  58. Wirlaburla

    Yes but my tor daemon is literally doing nothing right now.

  59. Menel

    Prosody uses crypto too

  60. Menel

    Old term, tls

  61. Menel

    Also I think it's rather "fast" beeing used for games.... Needs to not be slow..

  62. Wirlaburla

    I know we can agree any XMPP server is better than running any Matrix servers. Those things want you to feed them RAM sticks daily.

  63. Wirlaburla

    I know we can all agree any XMPP server is better than running any Matrix servers. Those things want you to feed them RAM sticks daily.

  64. Polarian

    > Prosody uses crypto too TLS

  65. Polarian

    not encrypting a payload 3 times with different keys

  66. Polarian

    hence "onion"

  67. Polarian

    > not encrypting a payload 3 times with different keys _possibly even more times_

  68. Wirlaburla

    It's running better than my currently inactive spamd.

  69. Wirlaburla

    Less CPU, less RAM.

  70. Polarian shrugs

  71. Wirlaburla

    There is your example of an efficient and performant server.

  72. Polarian

    would need solid benchmarks to find the truth here.

  73. Polarian

    but in my experience prosody went nom nom on my CPU

  74. Wirlaburla

    Yes, perhaps. Unfortunately, I do not wish to perform such benchmarks on my production server.

  75. Polarian

    Testing in production is 100% safe...

  76. Polarian

    _totally_

  77. Wirlaburla

    I'm too busy using my huge bandwidth to fend off ddos attacks.

  78. Wirlaburla

    Then procrastinating adding ddos protection.

  79. Polarian

    > I'm too busy using my huge bandwidth to fend off ddos attacks. huge bandwidth?

  80. Polarian

    > Then procrastinating adding ddos protection. ddos protection involves feeding your packets to big companies

  81. Polarian

    I rather be hit with a DDOS

  82. Wirlaburla

    No, not that kind of ddos protection.

  83. Polarian

    soooo. IP blocking?

  84. Wirlaburla

    I guess but more automatic and does the job for me.

  85. chunk is automatic and does the job for Wirlaburla

  86. chunk

    i r b0t

  87. chunk sends ping to test

  88. chunk

    Can somebody tell BobEvans to ping me, pls tnx

  89. agris

    > Polarian: > 2024-02-19 01:04 (EST) > huge bandwidth? > ddos protection involves feeding your packets to big companies > I rather be hit with a DDOS You can put a reverse proxy in a big data center or a router and do your filtering there but keep tls intact. Filter the big stuff on the cloud then run layer 7 inspection on the prefiltered traffic on your own secure hardware after decryption

  90. Wirlaburla

    Okay NERD

  91. Polarian

    > You can put a reverse proxy in a big data center or a router and do your filtering there but keep tls intact. Filter the big stuff on the cloud then run layer 7 inspection on the prefiltered traffic on your own secure hardware after decryption They can still hop your traffic

  92. Polarian

    remember they have full access to the data on your server

  93. agris

    Then use your fine grained senors to update the big firewall in the cloud

  94. Polarian

    that certificate, they can see it

  95. Polarian

    jabber.ru was a MITM attack, and that was unavoidable

  96. Polarian

    you can't prevent a datacentre from compromising you

  97. agris

    That's what encryption is for.

  98. Polarian

    encryption isn't a silver bullet

  99. Polarian

    and the certificates can still be compromised

  100. agris

    Tls runs over tcp, tcp can be related regardless of the payload within

  101. Polarian

    you are forgetting the big factor here

  102. Polarian

    you are running it on THEIR hardware

  103. Polarian

    they have full access to it

  104. agris

    No

  105. Polarian

    nothing stops them yanking the certificate key

  106. Polarian

    unless you FDE... but its not always possible with cloud providers

  107. agris

    You run your application servers on your own hardware. Then you run your proxy servers or routers in the cloud

  108. Polarian

    yes...

  109. Polarian

    they can backdoor the reverse proxy

  110. Polarian

    and because the reverse proxy decrypts then reencypts

  111. Polarian

    they yank the packets that way

  112. agris

    No that's a tls terminating proxy

  113. Polarian

    so you want to encapsulate it

  114. agris

    I'm talking about a tcp proxy

  115. Polarian

    ohhh

  116. agris

    Tls is already encapsulated in tcp

  117. Wirlaburla

    I was just gonna use BasedFlare.

  118. Polarian

    ok that could feasibly work, but it doesn't stop them filtering the packets out

  119. agris

    What?

  120. Polarian

    tls encrypts the payload

  121. Polarian

    thats it

  122. Polarian

    nothing stops them from filtering the packet

  123. Polarian

    plus they still get the metadata 🙃

  124. Polarian

    how many packets your server is getting

  125. Polarian

    where from

  126. Menel

    Nothing stops them in any case.. Grabbing it at the big central internet nodes.

  127. Polarian

    how often

  128. Menel

    😉

  129. Wirlaburla

    Nothing stopping your ISP from your metadata either.

  130. Menel

    Don't need a data center

  131. agris

    You want packet filtering, the whole purpose is ddos filtering right?

  132. Polarian

    > Nothing stopping your ISP from your metadata either. Indeed

  133. Polarian

    I am mainly just showing its pointless

  134. Menel

    It's not pointless.

  135. Wirlaburla

    It wasn't.

  136. Polarian

    _plus the added latency_

  137. Wirlaburla

    It has purpose but you are missing the point.

  138. Polarian

    plus more points of faillure

  139. Polarian

    plus more points of failure

  140. agris

    First define your scope. I thought this was about ddos filtering. Now it seems to be about internet snooping?

  141. Wirlaburla

    Yeah, it got off track.

  142. Polarian

    Not a surprise considering I am barely able to keep my eyes open

  143. Polarian

    maybe I need another monster...

  144. agris

    > Polarian: > 2024-02-19 02:09 (EST) > plus more points of failure True but just add redundancy. You can use VRRP

  145. Wirlaburla

    This man sleep sysadmins.

  146. agris

    That's what it's for

  147. agris

    If you don't like VRRP openbsd has carp

  148. Polarian

    > True but just add redundancy. You can use VRRP Ever heard simpler is better?

  149. Polarian

    You are running a XMPP server here

  150. Polarian

    not a mission critical datacentre where people will die if you are knocked out

  151. Wirlaburla

    I love these four letter acronyms all around.

  152. agris

    What is the alternative? Getting ddosed?

  153. Polarian

    > What is the alternative? Getting ddosed? Yes

  154. Wirlaburla

    You can over-engineer ddos protection.

  155. Polarian

    they give up eventually

  156. Wirlaburla

    It's not like I'm being attacked by the infamous hacker group known as 4chan.

  157. Polarian

    All DDOS protection is, is dropping packets on thick fibre

  158. Polarian

    nothing stops them overloading your ddos protection

  159. Polarian

    you are almost never immune

  160. Polarian

    > If you don't like VRRP openbsd has carp Wirlaburla VRRP is Virtual Redundant Router Protocol, and carp is OpenBSD's protocol to provide a fallback router

  161. agris

    I'm not sure this discussion is in good faith anymore

  162. Polarian

    carp keeps pf rules synced

  163. Polarian

    > I'm not sure this discussion is in good faith anymore How so...

  164. Polarian

    Its not malicious... or intended to be malicious

  165. agris

    Every time a solution is presented the scope changes

  166. Polarian

    yeah that sums me up...

  167. Polarian

    what was the original point?

  168. Menel

    Soo you're arguing about stuff you don't know the point of?

  169. Polarian

    no... I am getting lost in something off topic

  170. Polarian

    ok original topic, feeding big companies your packets

  171. Polarian

    that doesn't change either way

  172. Polarian

    slap encryption into it, you only protect the payload

  173. Polarian

    does it matter? probably not...

  174. Polarian

    Cloudflare does TCP proxying already

  175. Polarian

    so you could argue theres no difference here...

  176. Polarian

    ~apart from cloudflare being as trustworthy as someone putting a gun to your head~

  177. Wirlaburla

    Cockflare.

  178. Polarian

    I guess doing the TCP proxying yourself _might_ have some benefit... such as being able to use any provider, and more provider freely without being vendor locked

  179. Menel

    The point was, to use ddos protection, one solution is to route tcp through a bug data enter and handle it there. There are alternatives to cloud flare. Share your data between vendors etc. Nobody said this can't have drawbacks and nobody said it would be the a solution for perfect privacy of metadata. But this goal was never mentioned

  180. Polarian

    Its not always about privacy either... you are trusting their uptime, their server reliability and hoping they don't get congested. Furthermore you add more points of failure.

  181. Menel

    Yeah, things have pro and cons. Everyone needs to find out what's best for their use case

  182. Polarian

    > The point was, to use ddos protection, one solution is to route tcp through a bug data enter and handle it there. > There are alternatives to cloud flare. Share your data between vendors etc. > Nobody said this can't have drawbacks and nobody said it would be the a solution for perfect privacy of metadata. > But this goal was never mentioned I think to sum it up... most people will just use cloudflare...

  183. Polarian

    > Yeah, things have pro and cons. Everyone needs to find out what's best for their use case I guess its personal opinion

  184. Polarian

    I have done email relaying before to bypass port restrictions

  185. Polarian

    I got to tell you, it aint fun!

  186. Polarian

    you have to check each hop to tell where you are losing emails... and I feel TCP proxying will be a similar problem

  187. Polarian

    your server starts having network issues, you got to check the firewall, then your physical connection, then your provider, then the providers firewall etc etc

  188. Polarian

    plus one point I tried to make, and one which I badly made, you don't know what ports/rules the provider will filter on their edge routers

  189. Polarian

    they could well block ports like port 25 which you would need to ddos protect a email server

  190. Polarian

    but it seems at this point I am just opposing the point simply to oppose it, I guess it isn't a terrible alternative if DDOS protection is something you value...

  191. Licaon_Kter

    > You are running a XMPP server here > not a mission critical datacentre where people will die if you are knocked out Define mission critical...

  192. Polarian

    >> You are running a XMPP server here >> not a mission critical datacentre where people will die if you are knocked out > Define mission critical... are people going to die?

  193. Licaon_Kter

    Which service should people use since that's like an ever threat? Telegram? Line? Viber? Signal? Because if you start this discussion in these terms...

  194. Licaon_Kter

    Which service should people use since that's like an ever growing threat? Telegram? Line? Viber? Signal? Because if you start this discussion in these terms...

  195. Polarian

    > Which service should people use since that's like an ever growing threat? Telegram? Line? Viber? Signal? Because if you start this discussion in these terms... when you run 911 on XMPP, then talk about the importance

  196. Licaon_Kter

    Ok, so we should never use any other service except the one that support 911. Why are you here exactly then?

  197. Polarian

    > Ok, so we should never use any other service except the one that support 911. > > Why are you here exactly then? I'm a server operator... sorta :)

  198. agris

    > Polarian: > 2024-02-19 02:13 (EST) > carp keeps pf rules synced > How so... > Its not malicious... or intended to be malicious It's called sealioning

  199. agris

    https://en.wikipedia.org/wiki/Sealioning

  200. Polarian

    agris, Denial of service to human beings...

  201. Polarian

    pretty strong allegation :)

  202. agris

    Please stop messaging or pinging my name.

  203. Polarian

    wait thats a catch 22... if I ping you then I have messaged, and I can't message because its one of the conditions...