-
Polarian
> im sure there is a better way to handle it, thats just how i set it up in a pinch, and it certainly does need improvement. im still yet to get moparisthebest's xmpp-proxy set up properly with prosody. tried before, but couldnt seem to get it to work properly. I don't see how a reverse proxy is useful here ↺
-
Polarian
reverse proxies became widely used in web because of no ability to use ports other than 443
-
Polarian
with SRV record support for XMPP, adding a single point of failure (a reverse proxy) when service records can specify different ports for different servers seems counter productive
-
Polarian
but whatever floats your boat 🙂
-
Polarian
I guess its useful for load balancing
-
rewtkid
yes thats the point
-
Polarian
how many users do you have O.O
-
rewtkid
for XMPP? not many, yet. i dont know an exact number.
-
rewtkid
i havent really tried to "advertise" my service or anything. i did try to put it on list.jabber.at (i think thats it), but i think it blocks Tor or something. it would not send me a confirmation email or message.
-
Polarian
I see no reason for this
-
Polarian
it just seems like additional latency, points of failure
-
Polarian
you can do all this with SRV records no?
-
Polarian
and more powerful too
-
rewtkid
I dont know.
-
rewtkid
i will look into it though
-
Polarian
SRV weight is well the weighting on being picked
-
Polarian
and SRV priority for priority
-
Polarian
define main servers, and failover servers for example
-
rewtkid
and as for latency, it probably adds like 5ms of latency, at most.
-
Polarian
idk I guess moparisthebest would have to explain why use his xmpp-proxy
-
Polarian
but I don't see why SRV can't do it all
-
Wirlaburla
Seems flakey to use SRV for load balancing.
-
Polarian
> Seems flakey to use SRV for load balancing. flakey? ↺
-
Wirlaburla
Just doesn't seem it should be used for that purpose.
-
rewtkid
i know what srv records are, but ive never had a reason to look into them or even use them. so im not sure exactly what they are capable of when it comes to load balancing. i will take your advice and look into it, however.
-
Polarian
> i know what srv records are, but ive never had a reason to look into them or even use them. so im not sure exactly what they are capable of when it comes to load balancing. i will take your advice and look into it, however. SRV was designed for that purpose... ↺
-
rewtkid
I see.
-
Polarian
well not designed specifically for the purpose, but it was thought out
-
Polarian
https://datatracker.ietf.org/doc/html/rfc2782
-
Polarian
> Just doesn't seem it should be used for that purpose. any benchmarks or proof of this? can't eliminate an option without solid proof it doesn't work ↺
-
rewtkid
like i said though, the only reason i set this up in the first place was to mitigate some DDoS attacks from a certain group of people. hence why the backend isnt even hidden on XMPP when connecting to other servers. there was just some script kiddies trying to troll.
-
rewtkid
and the solution seemed to work pretty well.
-
rewtkid
they were not able to take down every server at once.
-
rewtkid
or any of them, for that matter, since their HTTP flood was being distributed across all servers and seemingly none of them got overwhelmed.
-
Polarian
ah this (https://datatracker.ietf.org/doc/html/rfc6120#section-3.2.3) answers why rewtkid didn't use srv
-
rewtkid
like i said though, the setup is definetly not as good as it could be, but it got the job done in a pinch
-
Polarian
although funny thing is moparisthebest was the one which worte https://xmpp.org/extensions/xep-0368.html
-
Polarian
> like i said though, the setup is definetly not as good as it could be, but it got the job done in a pinch why not just KISS ↺
-
rewtkid
it is pretty simple, its just HAProxy, nginx reverse proxies, and A records.
-
Polarian
but multiple XMPP servers?
-
rewtkid
there is only one xmpp server, which runs on the backend server. each reverse proxy server forwards the requests to the same XMPP server.
-
Polarian
oh.
-
rewtkid
Yeah, lol
-
Polarian
that seems very overcomplicated...
-
rewtkid
not really, its pretty trivial to accomplish with HAProxy
-
Polarian
whatever floats your boat I guess
-
Polarian
does it store logs though 😉 (seen as you have a no log policy hehe)
-
rewtkid
nope
-
rewtkid
also moparisthebest, sorry to disturb, but for xmpp-proxy, it seemingly sends traffic to the backend server in plaintext from what i understand. this might pose a security risk, in some cases. are there any workarounds for this that you can recommend?
-
rewtkid
from*
-
rewtkid
i do want to use it, seems very useful for what im trying to accomplish here. but that is one thing that sets me off about using it.
-
rewtkid
really all im trying to do is proxy S2S connections. if anyone has any solutions of recommendations, please let me know. i am running prosody, for the record.
-
moparisthebest
rewtkid: currently it is plaintext between xmpp-proxy and the backend server because they are meant to run on the same machine or trusted network, preferably over a Unix socket even... If you have a use case where that should be encrypted it's trivial I think...
-
rewtkid
hmm, could maybe use HAProxy with PROXY protocol. but that would only proxy inbound connections, not outbound connections.
-
rewtkid
maybe it would be possible to use something like socat and open a TLS socket to the backend server, then have both sides send connections to socat's listener, instead of directly to the other machine?
-
moparisthebest
And if haproxy does TLS then sasl external auth won't work and you need that for incoming s2s, and indeed no outgoing, you can join xmpp:xmpp-proxy@code.moparisthe.best?join if you have more questions
-
moparisthebest
Yes you could run xmpp-proxy over stunnel/socat
-
rewtkid
I see, might try that later on then. if i have more questions ill pop into your chat
-
roughnecks
not sure if I can ask here.. I would like to show my webchat (I have a conversejs prosody module and a Movim instance) in search.jabber.network, but I don't know how
-
jonas’
roughnecks, https://search.jabber.network/docs/operators scroll down to features
-
roughnecks
thanks jonas’
-
roughnecks
would that be ok if my webclient only accepts connections from my server?
-
snikket dot deeeeee
Wouldn't that defy the purpose. And confuse 90% of the people pressing the link?
-
roughnecks
guess so :)
-
jonas’
roughnecks, what do you mean by "accepts connections only from your server"?
-
roughnecks
that you can't connect if your account is not from my server
-
jonas’
oh
-
jonas’
no that's totally sensible
-
jonas’
but "Join via web" expects that it's an anonymous thing
-
jonas’
so without login
-
snikket dot deeeeee
For your own users, I think it would be best if you announce your xmpp we client in some other way. Maybe on your homepage
-
roughnecks
okay then, nevermind
-
yoyoyo
hi
-
yoyoyo
Hey, im new to xmpp and trying to figure it out on pidgin with otr. does anyone want to give me thier usrname so i can see if its working..
-
MattJ
Hi, welcome! Pidgin with OTR is not a great place to start. I recommend checking out the guides at https://joinjabber.org
-
MattJ
OTR is a very old encryption method and very few people would be able to talk to you using it
-
yoyoyo
So you reccomend OMEMO?
-
MattJ
It has been removed from most XMPP software, replaced by OMEMO. However Pidgin's XMPP support is currently very out of date.
-
yoyoyo
im trying to setup xmpp with encry[tion on tailsos which comes with pidgin...
-
yoyoyo
I will check out that link, thanks.
-
Stix (loqi)
yoyoyo, I highly recommend giving Gajim.org a try. It works great on linux
-
yoyoyo
Stix (loqi) looks like a good option, thx
-
yoyoyo
Stix (loqi) thx for the recomendation. I was able to set it up through Tor on TailsOS. much better ui then pidgin also
-
Stix (loqi)
Great! Just make sure you're using the up to date version of gajim 1.8.4
-
yoyoyo
im using 1.7.3
-
yoyoyo
i downloaded it using sudo apt install gajim
-
yoyoyo
is that alright?
-
yoyoyo
https://packages.debian.org/search?keywords=gajim
-
yoyoyo
im on stable, i guess thats why..
-
TheCoffeMaker
try a newer version
-
nicoco
Latest gajim is in stable-backports
-
ernst.on.tour
As I know there is an own repo for TailOS ? Maybe they stay on 1.7.3 ?