XMPP Service Operators - 2024-04-04

  1. Polarian

    > im sure there is a better way to handle it, thats just how i set it up in a pinch, and it certainly does need improvement. im still yet to get moparisthebest's xmpp-proxy set up properly with prosody. tried before, but couldnt seem to get it to work properly. I don't see how a reverse proxy is useful here

  2. Polarian

    reverse proxies became widely used in web because of no ability to use ports other than 443

  3. Polarian

    with SRV record support for XMPP, adding a single point of failure (a reverse proxy) when service records can specify different ports for different servers seems counter productive

  4. Polarian

    but whatever floats your boat 🙂

  5. Polarian

    I guess its useful for load balancing

  6. rewtkid

    yes thats the point

  7. Polarian

    how many users do you have O.O

  8. rewtkid

    for XMPP? not many, yet. i dont know an exact number.

  9. rewtkid

    i havent really tried to "advertise" my service or anything. i did try to put it on list.jabber.at (i think thats it), but i think it blocks Tor or something. it would not send me a confirmation email or message.

  10. Polarian

    I see no reason for this

  11. Polarian

    it just seems like additional latency, points of failure

  12. Polarian

    you can do all this with SRV records no?

  13. Polarian

    and more powerful too

  14. rewtkid

    I dont know.

  15. rewtkid

    i will look into it though

  16. Polarian

    SRV weight is well the weighting on being picked

  17. Polarian

    and SRV priority for priority

  18. Polarian

    define main servers, and failover servers for example

  19. rewtkid

    and as for latency, it probably adds like 5ms of latency, at most.

  20. Polarian

    idk I guess moparisthebest would have to explain why use his xmpp-proxy

  21. Polarian

    but I don't see why SRV can't do it all

  22. Wirlaburla

    Seems flakey to use SRV for load balancing.

  23. Polarian

    > Seems flakey to use SRV for load balancing. flakey?

  24. Wirlaburla

    Just doesn't seem it should be used for that purpose.

  25. rewtkid

    i know what srv records are, but ive never had a reason to look into them or even use them. so im not sure exactly what they are capable of when it comes to load balancing. i will take your advice and look into it, however.

  26. Polarian

    > i know what srv records are, but ive never had a reason to look into them or even use them. so im not sure exactly what they are capable of when it comes to load balancing. i will take your advice and look into it, however. SRV was designed for that purpose...

  27. rewtkid

    I see.

  28. Polarian

    well not designed specifically for the purpose, but it was thought out

  29. Polarian


  30. Polarian

    > Just doesn't seem it should be used for that purpose. any benchmarks or proof of this? can't eliminate an option without solid proof it doesn't work

  31. rewtkid

    like i said though, the only reason i set this up in the first place was to mitigate some DDoS attacks from a certain group of people. hence why the backend isnt even hidden on XMPP when connecting to other servers. there was just some script kiddies trying to troll.

  32. rewtkid

    and the solution seemed to work pretty well.

  33. rewtkid

    they were not able to take down every server at once.

  34. rewtkid

    or any of them, for that matter, since their HTTP flood was being distributed across all servers and seemingly none of them got overwhelmed.

  35. Polarian

    ah this (https://datatracker.ietf.org/doc/html/rfc6120#section-3.2.3) answers why rewtkid didn't use srv

  36. rewtkid

    like i said though, the setup is definetly not as good as it could be, but it got the job done in a pinch

  37. Polarian

    although funny thing is moparisthebest was the one which worte https://xmpp.org/extensions/xep-0368.html

  38. Polarian

    > like i said though, the setup is definetly not as good as it could be, but it got the job done in a pinch why not just KISS

  39. rewtkid

    it is pretty simple, its just HAProxy, nginx reverse proxies, and A records.

  40. Polarian

    but multiple XMPP servers?

  41. rewtkid

    there is only one xmpp server, which runs on the backend server. each reverse proxy server forwards the requests to the same XMPP server.

  42. Polarian


  43. rewtkid

    Yeah, lol

  44. Polarian

    that seems very overcomplicated...

  45. rewtkid

    not really, its pretty trivial to accomplish with HAProxy

  46. Polarian

    whatever floats your boat I guess

  47. Polarian

    does it store logs though 😉 (seen as you have a no log policy hehe)

  48. rewtkid


  49. rewtkid

    also moparisthebest, sorry to disturb, but for xmpp-proxy, it seemingly sends traffic to the backend server in plaintext from what i understand. this might pose a security risk, in some cases. are there any workarounds for this that you can recommend?

  50. rewtkid


  51. rewtkid

    i do want to use it, seems very useful for what im trying to accomplish here. but that is one thing that sets me off about using it.

  52. rewtkid

    really all im trying to do is proxy S2S connections. if anyone has any solutions of recommendations, please let me know. i am running prosody, for the record.

  53. moparisthebest

    rewtkid: currently it is plaintext between xmpp-proxy and the backend server because they are meant to run on the same machine or trusted network, preferably over a Unix socket even... If you have a use case where that should be encrypted it's trivial I think...

  54. rewtkid

    hmm, could maybe use HAProxy with PROXY protocol. but that would only proxy inbound connections, not outbound connections.

  55. rewtkid

    maybe it would be possible to use something like socat and open a TLS socket to the backend server, then have both sides send connections to socat's listener, instead of directly to the other machine?

  56. moparisthebest

    And if haproxy does TLS then sasl external auth won't work and you need that for incoming s2s, and indeed no outgoing, you can join xmpp:xmpp-proxy@code.moparisthe.best?join if you have more questions

  57. moparisthebest

    Yes you could run xmpp-proxy over stunnel/socat

  58. rewtkid

    I see, might try that later on then. if i have more questions ill pop into your chat

  59. roughnecks

    not sure if I can ask here.. I would like to show my webchat (I have a conversejs prosody module and a Movim instance) in search.jabber.network, but I don't know how

  60. jonas’

    roughnecks, https://search.jabber.network/docs/operators scroll down to features

  61. roughnecks

    thanks jonas’

  62. roughnecks

    would that be ok if my webclient only accepts connections from my server?

  63. snikket dot deeeeee

    Wouldn't that defy the purpose. And confuse 90% of the people pressing the link?

  64. roughnecks

    guess so :)

  65. jonas’

    roughnecks, what do you mean by "accepts connections only from your server"?

  66. roughnecks

    that you can't connect if your account is not from my server

  67. jonas’


  68. jonas’

    no that's totally sensible

  69. jonas’

    but "Join via web" expects that it's an anonymous thing

  70. jonas’

    so without login

  71. snikket dot deeeeee

    For your own users, I think it would be best if you announce your xmpp we client in some other way. Maybe on your homepage

  72. roughnecks

    okay then, nevermind

  73. yoyoyo


  74. yoyoyo

    Hey, im new to xmpp and trying to figure it out on pidgin with otr. does anyone want to give me thier usrname so i can see if its working..

  75. MattJ

    Hi, welcome! Pidgin with OTR is not a great place to start. I recommend checking out the guides at https://joinjabber.org

  76. MattJ

    OTR is a very old encryption method and very few people would be able to talk to you using it

  77. yoyoyo

    So you reccomend OMEMO?

  78. MattJ

    It has been removed from most XMPP software, replaced by OMEMO. However Pidgin's XMPP support is currently very out of date.

  79. yoyoyo

    im trying to setup xmpp with encry[tion on tailsos which comes with pidgin...

  80. yoyoyo

    I will check out that link, thanks.

  81. Stix (loqi)

    yoyoyo, I highly recommend giving Gajim.org a try. It works great on linux

  82. yoyoyo

    Stix (loqi) looks like a good option, thx

  83. yoyoyo

    Stix (loqi) thx for the recomendation. I was able to set it up through Tor on TailsOS. much better ui then pidgin also

  84. Stix (loqi)

    Great! Just make sure you're using the up to date version of gajim 1.8.4

  85. yoyoyo

    im using 1.7.3

  86. yoyoyo

    i downloaded it using sudo apt install gajim

  87. yoyoyo

    is that alright?

  88. yoyoyo


  89. yoyoyo

    im on stable, i guess thats why..

  90. TheCoffeMaker

    try a newer version

  91. nicoco

    Latest gajim is in stable-backports

  92. ernst.on.tour

    As I know there is an own repo for TailOS ? Maybe they stay on 1.7.3 ?