-
jjj333_p [pain.agency]
> Make it match what you have in > nano /etc/network/interfaces > For ipv6 was finally looking into this, and i have nothing in there https://envs.sh/ilb.png ↺
-
jjj333_p [pain.agency]
using null ptr instance since my http rev proxy is stopped
-
jjj333_p [pain.agency]
``` root@snapshot-115842185-debian-2gb-hil-1:/home/joseph# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5) # Include files from /etc/network/interfaces.d: source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback root@snapshot-115842185-debian-2gb-hil-1:/home/joseph# ip -6 a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000 inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000 inet6 2a01:4ff:1f0:c2f2::1/64 scope global valid_lft forever preferred_lft forever inet6 fe80::9400:2ff:fe4d:986d/64 scope link valid_lft forever preferred_lft forever 4: br-2410bde0046c: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP inet6 fe80::42:86ff:fed7:4daa/64 scope link valid_lft forever preferred_lft forever 9: vethc039dcd@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP inet6 fe80::c8aa:62ff:fec6:9448/64 scope link valid_lft forever preferred_lft forever root@snapshot-115842185-debian-2gb-hil-1:/home/joseph# ```
-
jonas’
you need to check the files referencesd there in `source`, too
-
jonas’
or that
-
jjj333_p [pain.agency]
this is a very stupid question but how do i know which ip to read from the ip output
-
jonas’
ignore everything with fe80, because those are so-called link-local addresses
👍 1 -
jonas’
ignore ::1, because that's loopback (think 127.0.0.1, but for IPv6)
👍 1 -
jjj333_p [pain.agency]
okay seems #2 it is
-
jonas’
yup :)
-
jjj333_p [pain.agency]
https://envs.sh/ilw.png
-
jjj333_p [pain.agency]
okay ive added the records. i did it just after renewing my letsencrypt certs so i dont know if that was the wrong order per se but oh well
-
jonas’
thankfully, let's encrypt doesn't care :)
👍 1 -
jjj333_p [pain.agency]
if anyone knows how to see if ipv6 only is working, feel free to test and let me know. i have both ipv4 and ipv6 here i believe
-
jjj333_p [pain.agency]
or at least for sure ipv4
-
jjj333_p [pain.agency]
and ping isnt set to work with my server
-
jjj333_p [pain.agency]
anyways jonas’ tysm for your help
-
jonas’
i can at least reach your xmpp server on port 5222 over IPv6
-
jonas’
and port 5269
-
jonas’
so there's that
-
roughnecks
jjj333_p [pain.agency] ``` xmpp-dns -6cfstv pain.agency failure in xmpp-client lookup: lookup _xmpp-client._tcp.pain.agency. on 127.0.0.53:53: no such host failure in xmpps-client lookup: lookup _xmpps-client._tcp.pain.agency. on 127.0.0.53:53: no such host Trying fallback ports. xmpp-client pain.agency. 5222 Priority: 0 Weight: 0 IP: 2a01:4ff:1f0:c2f2::1 Connection: [OK] StartTLS: [OK] Certificate: [OK] xmpps-client pain.agency. 5223 Priority: 0 Weight: 0 IP: 2a01:4ff:1f0:c2f2::1 Connection: [OK] TLS: [OK] Certificate: [OK] xmpps-client pain.agency. 443 Priority: 0 Weight: 0 IP: 2a01:4ff:1f0:c2f2::1 Connection: [OK] TLS: [Not OK] remote error: tls: no application protocol failure in xmpp-server lookup: lookup _xmpp-server._tcp.pain.agency. on 127.0.0.53:53: no such host failure in xmpps-server lookup: lookup _xmpps-server._tcp.pain.agency. on 127.0.0.53:53: no such host Trying fallback ports. xmpp-server pain.agency. 5269 Priority: 0 Weight: 0 IP: 2a01:4ff:1f0:c2f2::1 Connection: [OK] StartTLS: [OK] Certificate: [OK] xmpps-server pain.agency. 5270 Priority: 0 Weight: 0 IP: 2a01:4ff:1f0:c2f2::1 Connection: [OK] TLS: [OK] Certificate: [OK] ```
-
jjj333_p [pain.agency]
the one `TLS: [Not OK]` concerns me a little, but otherwise that seems fine. thanks =)
-
roughnecks
yeah. To repeat the test: https://salsa.debian.org/mdosch/xmpp-dns
👍 1 -
jjj333_p [pain.agency]
tysm
-
roughnecks
np
-
Martin
Seems you're missing srv records.
-
jonas’
why does xmpp-dns default to direct TLS on port 443 if there are no SRV records for that?
-
jjj333_p [pain.agency]
oh yes, i was told those arent necessary as my domain already points to my vps
-
jjj333_p [pain.agency]
> oh yes, i was told those arent necessary as my domain already points to my vps i can add them if i should, i just have been too lazy ↺
-
Martin
Then clients will probably only use default 5222 StartTLS as long as you don't manually configure them to use direct tls. Same for s2s. But as you set up direct tls you might also want to use it.
-
jjj333_p [pain.agency]
> Then clients will probably only use default 5222 StartTLS as long as you don't manually configure them to use direct tls. Same for s2s. But as you set up direct tls you might also want to use it. is there anything wrong with them using that default? ↺
-
Martin
No, but l assumed you want to use direct tls as you set it up.
-
jjj333_p [pain.agency]
> No, but l assumed you want to use direct tls as you set it up. oh i was just told you have to? is there some other form of tls that xmpp uses? ↺
-
jjj333_p [pain.agency]
(to be fair i was inducted into the xmpp cult by people i no longer talk to, and they all kinda were telling me conflicting things)
-
jonas’
telepath.im admin, welcome
-
telepath.im admin
Thank you
-
taba
>> No, but l assumed you want to use direct tls as you set it up. > oh i was just told you have to? is there some other form of tls that xmpp uses? jjj333_p [pain.agency]: look up STARTTLS ↺
-
taba
> (to be fair i was inducted into the xmpp cult by people i no longer talk to, and they all kinda were telling me conflicting things) xmppeaking ↺
-
jjj333_p [pain.agency]
> jjj333_p [pain.agency]: look up STARTTLS ah. so i should probably set up srv records. ill do that... eventually ↺
-
jjj333_p [pain.agency]
> xmppeaking eh just the normal autism of online nice communities ↺
-
jjj333_p [pain.agency]
our brand of autism before everything fell apart just happened to be xmpp and programming in old versions of c for whatever reason (not me personally)
-
jonas’
for the record: you do not need SRV records for starttls to work
-
jjj333_p [pain.agency]
> for the record: you do not need SRV records for starttls to work my understanding is starttls is what its using when you dont have srv records? ↺
-
jjj333_p [pain.agency]
or was i misunderstanding
-
jonas’
starttls is used with _xmpp-server / _xmpp-client SRV records, and by default when you don't have SRV records
👍 1 -
jonas’
the other variant, direct tls, is only used with _xmpps-server / _xmpps-client SRV records and is not supported by all clients and servers which may connect to your server.
-
jonas’
direct tls has fewer roundtrips than starttls, which may be an advantage for mobile clients on high-latency or otherwise slow links
-
jjj333_p [pain.agency]
> direct tls has fewer roundtrips than starttls, which may be an advantage for mobile clients on high-latency or otherwise slow links got it, makes sense ↺
-
ukko
how do the srv lookups not outweight the fewer round trips?
-
jonas’
ukko, they can be cached.
-
ukko
oh
-
jjj333_p [pain.agency]
> how do the srv lookups not outweight the fewer round trips? i just always figured that it came with the rest of the dns information ↺
-
jjj333_p [pain.agency]
no reason to assume that i just did
-
jonas’
nice DNS servers may actually also hand you the address records alongside the SRV response, yeah, but it's not too common.
-
jonas’
but caches certainly help.
-
jjj333_p [pain.agency]
> got it, makes sense might be something that matters to me as i live in bumfuck, pacific ocean and selfhost because most foss services are hosted in the eu which i get approx 600ms ping to ↺
-
jonas’
ukko, not to mention that the SRV records must be queried regardless, because a client needs to find out first whether there even are SRV records before they can fall back to non-SRV endpoints.
👍 1 -
jjj333_p [pain.agency]
even my vps (west coast usa) to eu servers is about 400-500ms ping
-
jjj333_p [pain.agency]
but anyways thats good to know that its realistically mostly a latency improvement more than anything
-
jjj333_p [pain.agency]
clarifies it in my mind
-
Menel
Hm also an udp dns package is more lightweight then any part of the tls handshake I guess
-
jjj333_p [pain.agency]
> Hm also an udp dns package is more lightweight then any part of the tls handshake I guess also often dns servers (such as clownflare) do a lot of work to reduce latency otherwise ↺
-
jonas’
jjj333_p [pain.agency], well and direct TLS on port 443 tends to be easier to get through some nasty firewalls than starttls on port 5222, but whether you want to cater for those is up to you
👍 1 -
Menel
Thanks to #Whatsapp, 5222 is still very good, but yeah. Nothing beats 443/tcp
-
jjj333_p [pain.agency]
> jjj333_p [pain.agency], well and direct TLS on port 443 tends to be easier to get through some nasty firewalls than starttls on port 5222, but whether you want to cater for those is up to you i mean so far i havent run into that problem yet i dont think, but good to know ↺
-
ukko
> about 400-500ms ping you can use https://ping.pe to ping/traceroute/mtr from dozens of locations
-
jjj333_p [pain.agency]
actually wait, very dumb question, does direct tls being on port 443 conflict with reverse proxy? because i know i have to stop caddy to work certbot? or is it only for http traffic
-
ukko
you shouldn't have to stop caddy, switch to standalone plugin for certbot or let caddy handle certs itself
-
jjj333_p [pain.agency]
> > about 400-500ms ping > > you can use https://ping.pe to ping/traceroute/mtr from dozens of locations pretty sure i never set up ping to work, not sure how i would make it work and havent bothered to car ↺
-
jjj333_p [pain.agency]
care
-
jjj333_p [pain.agency]
https://downloadable.pain.agency/file_share/cvM60BXcaQ70Xp3DdfbPIkmv/d8fca9ad-68f4-459a-a655-7b807ee2e46f.png
-
jjj333_p [pain.agency]
> you shouldn't have to stop caddy, switch to standalone plugin for certbot or let caddy handle certs itself i use standalone for the domains that are xmpp specific, and then caddy handles certs for all the others. do i add all the xmpp subdomains into caddy to be reverse proxied? ↺
-
jjj333_p [pain.agency]
like ive never had to renew pain.agency because it is managed by caddy and ive had it for years. but the xmpp subdomains i figured cant be managed by caddy since caddy is only http traffic?
-
Menel
jjj333_p [pain.agency]: xmpp on 443 will conflict with caddy listening on 443 tcp
-
Menel
Two services on the same port can't work
-
telepath.im admin
>> >> you can use https://ping.pe to ping/traceroute/mtr from dozens of locations > pretty sure i never set up ping to work, not sure how i would make it work and havent bothered to car Allow ICMP ↺
-
Menel
But I think caddy can do raw tls proxy stuff. So it could receive on port 443 for your xmpp server and serve that to the xmpp server locally on another port like 5223
-
jjj333_p [pain.agency]
> But I think caddy can do raw tls proxy stuff. > So it could receive on port 443 for your xmpp server and serve that to the xmpp server locally on another port like 5223 so i should just add the xmpp subdomains into caddy and tell it to redirect to the respective ports? ↺
-
Menel
Something about a layer4 app in caddy is what the internet tells me. A normal reverse proxy won't work. Because the normal one is for https
-
Menel
https://wiki.xmpp.org/web/Tech_pages/XEP-0368#Transparent_Proxying Nobody added caddy yet here
-
moparisthebest
> why does xmpp-dns default to direct TLS on port 443 if there are no SRV records for that? This is what all clients and servers should be doing 🙂 ↺
-
moparisthebest
Also same for QUIC
-
jonas’
moparisthebest, that's non-standard behaviour though
-
Menel
But xmpp-dns only does that when you tell it to "just try stuff" right? It's a sensible assumption. Like 5223 too.
-
jonas’
ok
-
Menel
I _think_ it's the second most used xmpps_client port
-
Trung
we should just get rid off `ports` all together
-
Trung
what's the point when we just use all on the one and only 443
-
Menel
With ip6 we can instead just use ips and not ports true
-
ukko
The real issue is that HTTPS records weren't the default
-
ukko
No reason it should be hardcoded to 443
-
Menel
I'm using xmpp over 443 for clients without sslh on ipv6. Thanks to the power of so many ips 😍
-
ukko
Alternatively just think using onions like ogres
-
moparisthebest
> what's the point when we just use all on the one and only 443 Correct ↺
-
moparisthebest
it should be hardcoded to 443 because that's the most likely to work, that's all
-
Trung
internet == 443
-
Polarian
>> why does xmpp-dns default to direct TLS on port 443 if there are no SRV records for that? > This is what all clients and servers should be doing 🙂 _in your opinion_ ↺
-
Polarian
Wasn't DirectTLS considered legacy?
-
moparisthebest
*the world's opinion
-
Polarian
until Openfire 4.8.0 I believe DirectTLS was Legacy TLS
-
moparisthebest
> Wasn't DirectTLS considered legacy? Xep-0368 never was, but back in 2000 when XMPP standardized as an RFC and people thought non-encrypted was ok the previous seperate hardcoded port of 5223 was deprecated in favor of starttls which was hot at the time ↺
-
Polarian
>> Wasn't DirectTLS considered legacy? > Xep-0368 never was, but back in 2000 when XMPP standardized as an RFC and people thought non-encrypted was ok the previous seperate hardcoded port of 5223 was deprecated in favor of starttls which was hot at the time yet startls is the most commonly used ↺
-
Polarian
id you disable startls you will struggle to peer with servers✎ -
Polarian
if you disable startls you will struggle to peer with servers ✏
-
Polarian
A friend of mine learnt that the hard way...
-
moparisthebest
Not sure that's true anymore actually
-
Polarian
> A friend of mine learnt that the hard way... this was 1 year ago ↺
-
Polarian
so I assume it still is
-
Menel
There are indeed servers not using direct tls.
-
moparisthebest
But yes it's unsurprising the way that's worked for 25 years is more widely supported than the 8 year old way
-
Polarian
> There are indeed servers not using direct tls. _cough cough_ ↺
-
Polarian
lets just say I got a little lazy when setting up my current server... it was a test server and then became my main server... so it uses an embedded database and only have the bare minimum setup
-
Trung
that's your problem
-
Polarian
Indeed. But I am not the only one :)
-
Menel
There is no harm having both, or only starttls on s2s
-
Menel
The handshake isn't very relevant for s2s
-
Polarian
Menel: servers are dropping startls s2s
-
Polarian
I have seen it a few times now
-
Menel
I've never seen it
-
Polarian
I assume moparisthebest *would* like to if everyone used DirectTLS
-
Polarian
so that the handshake is encrypted and not just the payload
-
moparisthebest
hosts that only allow TLS on 443 are getting more common, it's becoming more important :)
-
Menel
Just saying it's a no-issue currently.
-
moparisthebest
correct, can't do nice things like ECH with starttls
-
Polarian
> hosts that only allow TLS on 443 are getting more common, it's becoming more important :) Thankfully I dont need to worry about extreme firewalls like that :) ↺
-
Polarian
> correct, can't do nice things like ECH with starttls almost nobody has adopted ECH ↺
-
moparisthebest
You do if you need to talk to hosts over s2s behind them
-
Menel
I've zero servers that don't talk to mine (that I would want) currently. Well I'm preferring direct tls on ipv6 but I guess that doesn't matter
-
Polarian
im decommissioning my server in the coming months anyways
-
moparisthebest
Ech is supported by all browsers for years, it's coming along, these things move slowly
-
moparisthebest
Being able to move slowly in the right direction is one of the main benefits of an eXtensible standardized protocol, flag days are best avoided
-
Polarian
> Ech is supported by all browsers for years, it's coming along, these things move slowly server side? no ↺
-
taba
> I'm using xmpp over 443 for clients without sslh on ipv6. Thanks to the power of so many ips 😍 Menel: ipv4 is a requirement ↺
-
taba
doesn't work on any networks i've tried in georgia✎ -
taba
ipv6 doesn't work on any networks i've tried in georgia ✏
-
taba
ipv6 doesn't work on any network i've tried in georgia ✏
-
Menel
Well I'm saving the route to sslh for ipv6 with it. Ipv4 can still use 5222,5223 and 443 through sslh✎ -
Menel
Well I'm saving the route through sslh for ipv6 with it. Ipv4 can still use 5222,5223 and 443 through sslh ✏
-
moparisthebest
I do the same
-
Polarian
> Well I'm saving the route through sslh for ipv6 with it. > Ipv4 can still use 5222,5223 and 443 through sslh I have never used sslh and havent had the need to ↺
-
taba
i have
-
taba
just do it
-
Polarian
do what... I aint setting something up I dont need
-
taba
you must
-
taba
it's the only way
-
Polarian
to do what?
-
Polarian
if an XMPP server cant use ports other than 443 then they shouldnt host a server... simple!
-
Polarian
My university blocks IRC and XMPP... I simply dont use their network... they provide an unencrypted secondary network with no firewall and it goes through a different backhaul and isnt directly managed by the uni... or... I use mobile data... There is some efforts to try to unblock some of these services as they can affect the computing department. Plus the devices arent able to update properly as the firewall keeps dropping microsoft updater packets.
-
Polarian
sometimes the simpler solution is better... I dont need to use the network so i dont.
-
Polarian
also sshl could break contracts and TOS... resulting in legal trouble... or in my case, my education revoked (they can do that) and permanent suspension
-
ernst.on.tour
> if an XMPP server cant use ports other than 443 then they shouldnt host a server... simple! If you cannot configure my (our) firewall, nobody inside our company will connect your server. ... simple!!!
-
Holger
A server op may or may not be interested in supporting clients behind restrictive firewalls. No need to agree on a single policy here.
-
Polarian
as their firewall is in place to enforce their policies, bypassing it goes against your employment/education contract
-
Polarian
so I would actually be concerned about pushing sshl as a standard/default
-
Polarian
> as their firewall is in place to enforce their policies, bypassing it goes against your employment/education contract _I think I see why I am considered so boring_ ↺
-
Polarian
>> if an XMPP server cant use ports other than 443 then they shouldnt host a server... simple! > If you cannot configure my (our) firewall, nobody inside our company will connect your server. > ... simple!!! so if the company chooses to host said server? why would they block its ports? ↺
-
Polarian
and force an extra point of failure?
-
Holger
Polarian. There's hotel WiFis or whatever operated by admins who believe security is increased by allowing only TLS on 443. I'd like to use XMPP from such networks so I offer TLS on 443. If the hotel admin wanted to block XMPPS on 443 then they obviously got it wrong. Not my problem. I understand you don't care about that use case. Fine then. End of story. No?
-
Holger
So much bikeshedding all day long ...
-
Polarian
> Polarian. There's hotel WiFis or whatever operated by admins who believe security is increased by allowing only TLS on 443. I'd like to use XMPP from such networks so I offer TLS on 443. If the hotel admin wanted to block XMPPS on 443 then they obviously got it wrong. Not my problem. I understand you don't care about that use case. Fine then. End of story. No? sure... but why not just use data then? ↺
-
Polarian
also unless they are using deep packet inspection you can TCP VPN on 443 to a more free network, this is more versatile too :)
-
moparisthebest
Because it costs me and I don't want to? Or maybe it's not available there.
-
Holger
I doubt discussing such stuff helps anyone in here in any way.
-
Polarian
> also unless they are using deep packet inspection you can TCP VPN on 443 to a more free network, this is more versatile too :) also means server providers dont have to do any extra work ↺
-
Polarian
> I doubt discussing such stuff helps anyone in here in any way. true... sorry. ↺
-
Holger
Don't mind occasional small talk at all, but the amount reduces the value of this channel for me.
-
ernst.on.tour
Okay, you seems to be a 12-15year old kiddy which never worked in a company Let me explain: There are companies which block your mobil. But this companies will offer you a proxy to go through the internet. They open 80/443/.... in *their* firewall. If somebody try to connect your server, he will get no connect. If he will connect to my server (via 443 and sslh) he is able to do so. It is his (her) will to do so and I'm not the judgement.
-
taba
> also sshl could break contracts and TOS... resulting in legal trouble... or in my case, my education revoked (they can do that) and permanent suspension you do realize that human beings run your uni right? ↺
-
Polarian
drop the topic
-
taba
> if an XMPP server cant use ports other than 443 then they shouldnt host a server... simple! Polarian: i allow connection to like 4 ports ↺
-
taba
maybe 5
-
Polarian
> Okay, you seems to be a 12-15year old kiddy which never worked in a company > > Let me explain: > There are companies which block your mobil. But this companies will offer you a proxy to go through the internet. They open 80/443/.... in *their* firewall. > > If somebody try to connect your server, he will get no connect. > > If he will connect to my server (via 443 and sslh) he is able to do so. > > It is his (her) will to do so and I'm not the judgement. I do not personally agree with bypassing corporate restrictions considering it is likely a violation of your contract if caught, and even then, you are at work... you shouldnt be on XMPP, and if you want to use XMPP, use your data, why should they pay to route your packets which arent work related? Also drop the topic Also also mind your language, I will gladly admit I am not 12-15, I am quite a bit older, older than some others in this channel, do not use ageist remarks to invalidate my opinion, or to belittle me. ↺
-
Polarian
On topic question I was wondering, if you use standard ports do you guys still publish SRV records?
-
Kris
Srv are also useful if you want addresses on the root domain, but run the actually xmpp server on a subdomain.
-
Kris
For various reasons, typically because they point to physically separate servers.
-
Menel
To see and get inspired what people use I recommend using xmpp-dns on some public servers and see
-
Polarian
> Srv are also useful if you want addresses on the root domain, but run the actually xmpp server on a subdomain. sorry, say you didn't... say you had the root domain as your FQDN and you are using standard ports? ↺
-
Menel
Some do, some don't Polarian. Some say it's cleaner to publish anyway. The current clients and severs will work in any case
-
Polarian
> Some do, some don't Polarian. Some say it's cleaner to publish anyway. The current clients and severs will work in any case whats the standard on this? ↺
-
moparisthebest
Polarian: RFC 6120
-
Menel
The rfc? You may read that yourself at xmpp.org
-
Polarian
> Polarian: RFC 6120 someone knows their rfcs ↺