|
Size: 903
Comment: firewall config
|
← Revision 11 as of 2020-08-29 20:43:11 ⇥
Size: 1782
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = Jabber Admin = | ## page was renamed from JabberAdmin |
| Line 3: | Line 3: |
| == Jabber Daemon == | <<TableOfContents>> == Daemon == |
| Line 7: | Line 9: |
| == Erlang Cookie == | We are compliant with [[https://xmpp.org/extensions/xep-0423.html|XEP-0423: XMPP Compliance Suites 2020]]. We have STUN, STUNS, and TURNS (TURN over TLS) enabled, but have left UDP TURN disabled (unclear if using UDP TURN would result in some clients sending member credentials unencrypted, or if only the temporary credentials offered by `mod_stun_disco` are used). If you think we should enable TURN over UDP, please contact the admins. == Installation == Installation is handled by Puppet class `hcoop::service::xmpp::ejabberd`. It will automatically use the HCoop TLS certificate, set up krb5 authentication, and open the needed firewall ports. == Additional Config == A few things are not managed by Puppet. === DNS Records === We need several DNS records for XMPP servers, stored in the `hcoop.net` domtool configuration. === Static files in hcoop.net/.well-known === [[https://xmpp.org/extensions/xep-0156.html|XEP-0156: Discovering Alternative XMPP Connection Methods (HTTP)]] requires two files to be accessible from https://hcoop.net: * https://hcoop.net/.well-known/host-meta * https://hcoop.net/.well-known/host-meta.json These list BOSH and WebSocket endpoints and may need to be adjusted when adding/removing ejabberd servers. == Old content == Might be relevant in the future -- we have a single server setup at the moment, and are not managing the erlang cookie for example. === Erlang Cookie === |
| Line 11: | Line 41: |
| == SSL Certificate == | |
| Line 13: | Line 42: |
| We require TLS communication with the jabber daemon to avoid exposing Kerberos passwords. When installing a new node make sure to copy `/etc/ejabberd/ejabberd.pem` from another node. The current certificate is valid until 2018 and signed by the HCoop CA. == Firewall == The IANA service names `xmpp-client` (port 5222) and `xmpp-server` (port 5269) must be open to the world at large. Port `4369` (epam) must be open to all other `ejabberd` nodes, but should '''not''' be open to the world at large. == PAM Configuration == {{{#!wiki caution TODO }}} |
Contents
1. Daemon
We use ejabberd
We are compliant with XEP-0423: XMPP Compliance Suites 2020. We have STUN, STUNS, and TURNS (TURN over TLS) enabled, but have left UDP TURN disabled (unclear if using UDP TURN would result in some clients sending member credentials unencrypted, or if only the temporary credentials offered by mod_stun_disco are used). If you think we should enable TURN over UDP, please contact the admins.
2. Installation
Installation is handled by Puppet class hcoop::service::xmpp::ejabberd. It will automatically use the HCoop TLS certificate, set up krb5 authentication, and open the needed firewall ports.
3. Additional Config
A few things are not managed by Puppet.
3.1. DNS Records
We need several DNS records for XMPP servers, stored in the hcoop.net domtool configuration.
3.2. Static files in hcoop.net/.well-known
XEP-0156: Discovering Alternative XMPP Connection Methods (HTTP) requires two files to be accessible from https://hcoop.net:
These list BOSH and WebSocket endpoints and may need to be adjusted when adding/removing ejabberd servers.
4. Old content
Might be relevant in the future -- we have a single server setup at the moment, and are not managing the erlang cookie for example.
4.1. Erlang Cookie
All nodes must have the same erlang cookie. When installing a new node replace the default Debian cookie with one copied from ~ejabberd/.erlang_cookie.