Add support for looking up wss:// connections via host-meta and host-meta.json and tests

Cargo.lock

@@ -2,6 +2,12 @@
 # It is not intended for manual editing.
 version = 3
 
+[[package]]
+name = "adler"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe"
+
 [[package]]
 name = "aho-corasick"
 version = "0.7.18"
@@ -17,6 +23,19 @@ version = "1.0.52"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "84450d0b4a8bd1ba4144ce8ce718fbc5d071358b1e5384bace6536b3d1f2d5b3"
 
+[[package]]
+name = "async-compression"
+version = "0.3.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f2bf394cfbbe876f0ac67b13b6ca819f9c9f2fb9ec67223cceb1555fbab1c31a"
+dependencies = [
+ "flate2",
+ "futures-core",
+ "memchr",
+ "pin-project-lite",
+ "tokio",
+]
+
 [[package]]
 name = "async-trait"
 version = "0.1.52"
@@ -39,6 +58,12 @@ dependencies = [
  "winapi",
 ]
 
+[[package]]
+name = "autocfg"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
+
 [[package]]
 name = "base64"
 version = "0.13.0"
@@ -115,6 +140,15 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "crc32fast"
+version = "1.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b540bd8bc810d3885c6ea91e2018302f68baba2129ab3e88f32389ee9370880d"
+dependencies = [
+ "cfg-if",
+]
+
 [[package]]
 name = "data-encoding"
 version = "2.3.2"
@@ -136,6 +170,15 @@ dependencies = [
  "generic-array",
 ]
 
+[[package]]
+name = "encoding_rs"
+version = "0.8.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7896dc8abb250ffdda33912550faa54c88ec8b998dec0b2c55ab224921ce11df"
+dependencies = [
+ "cfg-if",
+]
+
 [[package]]
 name = "enum-as-inner"
 version = "0.3.3"
@@ -161,6 +204,18 @@ dependencies = [
  "termcolor",
 ]
 
+[[package]]
+name = "flate2"
+version = "1.0.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e6988e897c1c9c485f43b47a529cef42fde0547f9d8d41a7062518f1d8fc53f"
+dependencies = [
+ "cfg-if",
+ "crc32fast",
+ "libc",
+ "miniz_oxide",
+]
+
 [[package]]
 name = "fnv"
 version = "1.0.7"
@@ -296,6 +351,31 @@ dependencies = [
  "wasi",
 ]
 
+[[package]]
+name = "h2"
+version = "0.3.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d9f1f717ddc7b2ba36df7e871fd88db79326551d3d6f1fc406fbfd28b582ff8e"
+dependencies = [
+ "bytes",
+ "fnv",
+ "futures-core",
+ "futures-sink",
+ "futures-util",
+ "http",
+ "indexmap",
+ "slab",
+ "tokio",
+ "tokio-util",
+ "tracing",
+]
+
+[[package]]
+name = "hashbrown"
+version = "0.11.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ab5ef0d4909ef3724cc8cce6ccc8572c5c817592e9285f5464f8e86f8bd3726e"
+
 [[package]]
 name = "heck"
 version = "0.3.3"
@@ -333,7 +413,18 @@ checksum = "31f4c6746584866f0feabcc69893c5b51beef3831656a968ed7ae254cdc4fd03"
 dependencies = [
  "bytes",
  "fnv",
- "itoa",
+ "itoa 1.0.1",
+]
+
+[[package]]
+name = "http-body"
+version = "0.4.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1ff4f84919677303da5f147645dbea6b1881f368d03ac84e1dc09031ebd7b2c6"
+dependencies = [
+ "bytes",
+ "http",
+ "pin-project-lite",
 ]
 
 [[package]]
@@ -342,12 +433,55 @@ version = "1.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "acd94fdbe1d4ff688b67b04eee2e17bd50995534a61539e45adfefb45e5e5503"
 
+[[package]]
+name = "httpdate"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c4a1e36c821dbe04574f602848a19f742f4fb3c98d40449f11bcad18d6b17421"
+
 [[package]]
 name = "humantime"
 version = "2.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4"
 
+[[package]]
+name = "hyper"
+version = "0.14.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7ec3e62bdc98a2f0393a5048e4c30ef659440ea6e0e572965103e72bd836f55"
+dependencies = [
+ "bytes",
+ "futures-channel",
+ "futures-core",
+ "futures-util",
+ "h2",
+ "http",
+ "http-body",
+ "httparse",
+ "httpdate",
+ "itoa 0.4.8",
+ "pin-project-lite",
+ "socket2 0.4.2",
+ "tokio",
+ "tower-service",
+ "tracing",
+ "want",
+]
+
+[[package]]
+name = "hyper-rustls"
+version = "0.23.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d87c48c02e0dc5e3b849a2041db3029fd066650f8f717c07bf8ed78ccb895cac"
+dependencies = [
+ "http",
+ "hyper",
+ "rustls",
+ "tokio",
+ "tokio-rustls",
+]
+
 [[package]]
 name = "idna"
 version = "0.2.3"
@@ -359,6 +493,16 @@ dependencies = [
  "unicode-normalization",
 ]
 
+[[package]]
+name = "indexmap"
+version = "1.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "282a6247722caba404c065016bbfa522806e51714c34f5dfc3e4a3a46fcb4223"
+dependencies = [
+ "autocfg",
+ "hashbrown",
+]
+
 [[package]]
 name = "instant"
 version = "0.1.12"
@@ -377,7 +521,7 @@ dependencies = [
  "socket2 0.3.19",
  "widestring",
  "winapi",
- "winreg",
+ "winreg 0.6.2",
 ]
 
 [[package]]
@@ -386,6 +530,12 @@ version = "2.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "68f2d64f2edebec4ce84ad108148e67e1064789bee435edc5b60ad398714a3a9"
 
+[[package]]
+name = "itoa"
+version = "0.4.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b71991ff56294aa922b450139ee08b3bfc70982c6b2c7562771375cf73542dd4"
+
 [[package]]
 name = "itoa"
 version = "1.0.1"
@@ -464,6 +614,22 @@ version = "2.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "308cc39be01b73d0d18f82a0e7b2a3df85245f84af96fdddc5d202d27e47b86a"
 
+[[package]]
+name = "mime"
+version = "0.3.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2a60c7ce501c71e03a9c9c0d35b861413ae925bd979cc7a4e30d060069aaac8d"
+
+[[package]]
+name = "miniz_oxide"
+version = "0.4.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a92518e98c078586bc6c934028adcca4c92a53d6a958196de835170a01d84e4b"
+dependencies = [
+ "adler",
+ "autocfg",
+]
+
 [[package]]
 name = "mio"
 version = "0.7.14"
@@ -716,6 +882,47 @@ version = "0.6.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f497285884f3fcff424ffc933e56d7cbca511def0c9831a7f9b5f6153e3cc89b"
 
+[[package]]
+name = "reqwest"
+version = "0.11.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "87f242f1488a539a79bac6dbe7c8609ae43b7914b7736210f239a37cccb32525"
+dependencies = [
+ "async-compression",
+ "base64",
+ "bytes",
+ "encoding_rs",
+ "futures-core",
+ "futures-util",
+ "h2",
+ "http",
+ "http-body",
+ "hyper",
+ "hyper-rustls",
+ "ipnet",
+ "js-sys",
+ "lazy_static",
+ "log",
+ "mime",
+ "percent-encoding",
+ "pin-project-lite",
+ "rustls",
+ "rustls-native-certs",
+ "rustls-pemfile",
+ "serde",
+ "serde_json",
+ "serde_urlencoded",
+ "tokio",
+ "tokio-rustls",
+ "tokio-util",
+ "trust-dns-resolver",
+ "url",
+ "wasm-bindgen",
+ "wasm-bindgen-futures",
+ "web-sys",
+ "winreg 0.7.0",
+]
+
 [[package]]
 name = "resolv-conf"
 version = "0.7.0"
@@ -774,6 +981,12 @@ dependencies = [
  "base64",
 ]
 
+[[package]]
+name = "ryu"
+version = "1.0.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "73b4b750c782965c211b42f022f59af1fbceabdd026623714f104152f1ec149f"
+
 [[package]]
 name = "schannel"
 version = "0.1.19"
@@ -843,6 +1056,29 @@ dependencies = [
  "syn",
 ]
 
+[[package]]
+name = "serde_json"
+version = "1.0.79"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e8d9fa5c3b304765ce1fd9c4c8a3de2c8db365a5b91be52f186efc675681d95"
+dependencies = [
+ "itoa 1.0.1",
+ "ryu",
+ "serde",
+]
+
+[[package]]
+name = "serde_urlencoded"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3491c14715ca2294c4d6a88f15e84739788c1d030eed8c110436aafdaa2f3fd"
+dependencies = [
+ "form_urlencoded",
+ "itoa 1.0.1",
+ "ryu",
+ "serde",
+]
+
 [[package]]
 name = "sha-1"
 version = "0.9.8"
@@ -1004,6 +1240,20 @@ dependencies = [
  "webpki",
 ]
 
+[[package]]
+name = "tokio-util"
+version = "0.6.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9e99e1983e5d376cd8eb4b66604d2e99e79f5bd988c3055891dcd8c9e2604cc0"
+dependencies = [
+ "bytes",
+ "futures-core",
+ "futures-sink",
+ "log",
+ "pin-project-lite",
+ "tokio",
+]
+
 [[package]]
 name = "toml"
 version = "0.5.8"
@@ -1013,6 +1263,12 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "tower-service"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "360dfd1d6d30e05fda32ace2c8c70e9c0a9da713275777f5a4dbb8a1893930c6"
+
 [[package]]
 name = "tracing"
 version = "0.1.29"
@@ -1090,6 +1346,12 @@ dependencies = [
  "trust-dns-proto",
 ]
 
+[[package]]
+name = "try-lock"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "59547bce71d9c38b83d9c0e92b6066c4253371f15005def0c30d9657f50c7642"
+
 [[package]]
 name = "tungstenite"
 version = "0.16.0"
@@ -1174,6 +1436,16 @@ version = "0.9.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
 
+[[package]]
+name = "want"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1ce8a968cb1cd110d136ff8b819a556d6fb6d919363c61534f6860c7eb172ba0"
+dependencies = [
+ "log",
+ "try-lock",
+]
+
 [[package]]
 name = "wasi"
 version = "0.10.2+wasi-snapshot-preview1"
@@ -1205,6 +1477,18 @@ dependencies = [
  "wasm-bindgen-shared",
 ]
 
+[[package]]
+name = "wasm-bindgen-futures"
+version = "0.4.29"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2eb6ec270a31b1d3c7e266b999739109abce8b6c87e4b31fcfcd788b65267395"
+dependencies = [
+ "cfg-if",
+ "js-sys",
+ "wasm-bindgen",
+ "web-sys",
+]
+
 [[package]]
 name = "wasm-bindgen-macro"
 version = "0.2.79"
@@ -1309,6 +1593,15 @@ dependencies = [
  "winapi",
 ]
 
+[[package]]
+name = "winreg"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0120db82e8a1e0b9fb3345a539c478767c0048d842860994d96113d5b667bd69"
+dependencies = [
+ "winapi",
+]
+
 [[package]]
 name = "xmpp-proxy"
 version = "1.0.0"
@@ -1322,6 +1615,7 @@ dependencies = [
  "log",
  "quinn",
  "rand",
+ "reqwest",
  "rustls",
  "rustls-native-certs",
  "rustls-pemfile",

Cargo.toml

@@ -43,6 +43,7 @@ trust-dns-resolver = { version = "0.20", optional = true }
 # todo: feature to swap between webpki-roots and rustls-native-certs
 webpki-roots = { version = "0.22", optional = true }
 rustls-native-certs = { version = "0.6", optional = true }
+reqwest = { version = "0.11", optional = true, default-features = false, features = ["rustls-tls-native-roots", "json", "gzip", "trust-dns"] }
 
 # quic deps
 quinn = { version = "0.8", optional = true }
@@ -59,7 +60,7 @@ futures-util = { version = "0.3", default-features = false, features = ["async-a
 [features]
 default = ["incoming", "outgoing", "quic", "websocket", "logging"]
 incoming = ["tokio-rustls", "rustls-pemfile", "rustls"]
-outgoing = ["tokio-rustls", "trust-dns-resolver", "rustls-native-certs", "lazy_static", "rustls"]
+outgoing = ["tokio-rustls", "trust-dns-resolver", "rustls-native-certs", "lazy_static", "rustls", "reqwest"]
 quic = ["quinn", "rustls-pemfile", "rustls", "rustls-native-certs"]
 websocket = ["tokio-tungstenite", "futures-util", "tokio-rustls", "rustls-pemfile", "rustls", "rustls-native-certs"]
 logging = ["rand", "env_logger"]

integration/19-client-websocket-host-meta/example.org.zone

@@ -0,0 +1,25 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+xp1             IN      A       192.5.0.40
+xp2             IN      A       192.5.0.50
+xp3             IN      A       192.5.0.60
+web1            IN      A       192.5.0.70
+web2            IN      A       192.5.0.80
+
+one    IN      CNAME   web1
+two    IN      CNAME   web1
+#_xmppconnect.one     IN      TXT     "_xmpp-client-websocket=wss://server1.example.org:5281/xmpp-websocket"
+#_xmppconnect.two     IN      TXT     "_xmpp-client-websocket=wss://server1.example.org:5281/xmpp-websocket"
+
+scansion.one    IN      CNAME   xp1
+scansion.two    IN      CNAME   xp1

integration/19-client-websocket-host-meta/nginx1.conf

@@ -0,0 +1,25 @@
+daemon off;
+worker_processes  1;
+error_log stderr;
+
+events {
+    worker_connections  32;
+}
+
+http {
+    access_log /dev/stdout;
+
+    server {
+        listen       443 ssl;
+        server_name  one.example.org two.example.org;
+
+        ssl_certificate      /etc/prosody/certs/wildcard.crt;
+        ssl_certificate_key  /etc/prosody/certs/wildcard.key;
+
+        location = /.well-known/host-meta {
+            default_type application/xrd+xml;
+            return 200 '<?xml version="1.0" encoding="UTF-8"?><XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0"><Link rel="urn:xmpp:alt-connections:websocket" href="wss://server1.example.org:5281/xmpp-websocket"/></XRD>';
+        }
+    }
+
+}

integration/19-client-websocket-host-meta/prosody1.cfg.lua

@@ -0,0 +1,229 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+legacy_ssl_ports = { };
+c2s_ports = { };
+cross_domain_websocket = true
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = true
+
+-- Force servers to use encrypted connections? This option will
+-- prevent servers from authenticating unless they are using encryption.
+
+s2s_require_encryption = true
+
+-- Force certificate authentication for server-to-server connections?
+
+s2s_secure_auth = false
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/wildcard.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/19-client-websocket-host-meta/xmpp-proxy1.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:5222" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "127.0.0.1:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "127.0.0.1:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/certs/rsa/one.example.org.key"
+tls_cert = "/etc/certs/rsa/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/20-client-websocket-host-meta-json/example.org.zone

@@ -0,0 +1,25 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+xp1             IN      A       192.5.0.40
+xp2             IN      A       192.5.0.50
+xp3             IN      A       192.5.0.60
+web1            IN      A       192.5.0.70
+web2            IN      A       192.5.0.80
+
+one    IN      CNAME   web1
+two    IN      CNAME   web1
+#_xmppconnect.one     IN      TXT     "_xmpp-client-websocket=wss://server1.example.org:5281/xmpp-websocket"
+#_xmppconnect.two     IN      TXT     "_xmpp-client-websocket=wss://server1.example.org:5281/xmpp-websocket"
+
+scansion.one    IN      CNAME   xp1
+scansion.two    IN      CNAME   xp1

integration/20-client-websocket-host-meta-json/nginx1.conf

@@ -0,0 +1,25 @@
+daemon off;
+worker_processes  1;
+error_log stderr;
+
+events {
+    worker_connections  32;
+}
+
+http {
+    access_log /dev/stdout;
+
+    server {
+        listen       443 ssl;
+        server_name  one.example.org two.example.org;
+
+        ssl_certificate      /etc/prosody/certs/wildcard.crt;
+        ssl_certificate_key  /etc/prosody/certs/wildcard.key;
+
+        location = /.well-known/host-meta.json {
+            default_type application/json;
+            return 200 '{"links":[{"rel":"urn:xmpp:alt-connections:websocket","href":"wss://server1.example.org:5281/xmpp-websocket"}]}';
+        }
+    }
+
+}

integration/20-client-websocket-host-meta-json/prosody1.cfg.lua

@@ -0,0 +1,229 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+legacy_ssl_ports = { };
+c2s_ports = { };
+cross_domain_websocket = true
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = true
+
+-- Force servers to use encrypted connections? This option will
+-- prevent servers from authenticating unless they are using encryption.
+
+s2s_require_encryption = true
+
+-- Force certificate authentication for server-to-server connections?
+
+s2s_secure_auth = false
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/wildcard.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/20-client-websocket-host-meta-json/xmpp-proxy1.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:5222" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "127.0.0.1:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "127.0.0.1:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/xp1.example.org.key"
+tls_cert = "/etc/prosody/certs/xp1.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/21-c2s-websocket-host-meta/example.org.zone

@@ -0,0 +1,25 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+xp1             IN      A       192.5.0.40
+xp2             IN      A       192.5.0.50
+xp3             IN      A       192.5.0.60
+web1            IN      A       192.5.0.70
+web2            IN      A       192.5.0.80
+
+one    IN      CNAME   web1
+two    IN      CNAME   web1
+#_xmppconnect.one     IN      TXT     "_xmpp-client-websocket=wss://one.example.org:5281/xmpp-websocket"
+#_xmppconnect.two     IN      TXT     "_xmpp-client-websocket=wss://two.example.org:5281/xmpp-websocket"
+
+scansion.one    IN      CNAME   xp3
+scansion.two    IN      CNAME   xp3

integration/21-c2s-websocket-host-meta/nginx1.conf

@@ -0,0 +1,25 @@
+daemon off;
+worker_processes  1;
+error_log stderr;
+
+events {
+    worker_connections  32;
+}
+
+http {
+    access_log /dev/stdout;
+
+    server {
+        listen       443 ssl;
+        server_name  one.example.org two.example.org;
+
+        ssl_certificate      /etc/prosody/certs/wildcard.crt;
+        ssl_certificate_key  /etc/prosody/certs/wildcard.key;
+
+        location = /.well-known/host-meta {
+            default_type application/xrd+xml;
+            return 200 '<?xml version="1.0" encoding="UTF-8"?><XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0"><Link rel="urn:xmpp:alt-connections:websocket" href="wss://xp1.example.org:5281/xmpp-websocket"/></XRD>';
+        }
+    }
+
+}

integration/21-c2s-websocket-host-meta/prosody1.cfg.lua

@@ -0,0 +1,253 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "xp1.example.org", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.40"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/21-c2s-websocket-host-meta/xmpp-proxy1.toml

@@ -0,0 +1,42 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ "0.0.0.0:5281" ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.20:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.20:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/xp1.example.org.key"
+tls_cert = "/etc/prosody/certs/xp1.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/21-c2s-websocket-host-meta/xmpp-proxy3.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:5222" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "127.0.0.1:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "127.0.0.1:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/certs/rsa/one.example.org.key"
+tls_cert = "/etc/certs/rsa/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/22-c2s-websocket-host-meta-json/example.org.zone

@@ -0,0 +1,25 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+xp1             IN      A       192.5.0.40
+xp2             IN      A       192.5.0.50
+xp3             IN      A       192.5.0.60
+web1            IN      A       192.5.0.70
+web2            IN      A       192.5.0.80
+
+one    IN      CNAME   web1
+two    IN      CNAME   web1
+#_xmppconnect.one     IN      TXT     "_xmpp-client-websocket=wss://one.example.org:5281/xmpp-websocket"
+#_xmppconnect.two     IN      TXT     "_xmpp-client-websocket=wss://two.example.org:5281/xmpp-websocket"
+
+scansion.one    IN      CNAME   xp3
+scansion.two    IN      CNAME   xp3

integration/22-c2s-websocket-host-meta-json/nginx1.conf

@@ -0,0 +1,25 @@
+daemon off;
+worker_processes  1;
+error_log stderr;
+
+events {
+    worker_connections  32;
+}
+
+http {
+    access_log /dev/stdout;
+
+    server {
+        listen       443 ssl;
+        server_name  one.example.org two.example.org;
+
+        ssl_certificate      /etc/prosody/certs/wildcard.crt;
+        ssl_certificate_key  /etc/prosody/certs/wildcard.key;
+
+        location = /.well-known/host-meta.json {
+            default_type application/json;
+            return 200 '{"links":[{"rel":"urn:xmpp:alt-connections:websocket","href":"wss://xp1.example.org:5281/xmpp-websocket"}]}';
+        }
+    }
+
+}

integration/22-c2s-websocket-host-meta-json/prosody1.cfg.lua

@@ -0,0 +1,253 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "xp1.example.org", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.40"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/22-c2s-websocket-host-meta-json/xmpp-proxy1.toml

@@ -0,0 +1,42 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ "0.0.0.0:5281" ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.20:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.20:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/xp1.example.org.key"
+tls_cert = "/etc/prosody/certs/xp1.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/22-c2s-websocket-host-meta-json/xmpp-proxy3.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:5222" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "127.0.0.1:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "127.0.0.1:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/certs/rsa/one.example.org.key"
+tls_cert = "/etc/certs/rsa/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/23-s2s-websocket-host-meta/example.org.zone

@@ -0,0 +1,23 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+xp1             IN      A       192.5.0.40
+xp2             IN      A       192.5.0.50
+xp3             IN      A       192.5.0.60
+web1            IN      A       192.5.0.70
+web2            IN      A       192.5.0.80
+
+one    IN      CNAME   web1
+two    IN      CNAME   web2
+
+scansion.one    IN      CNAME   xp3
+scansion.two    IN      CNAME   xp3

integration/23-s2s-websocket-host-meta/nginx1.conf

@@ -0,0 +1,25 @@
+daemon off;
+worker_processes  1;
+error_log stderr;
+
+events {
+    worker_connections  32;
+}
+
+http {
+    access_log /dev/stdout;
+
+    server {
+        listen       443 ssl;
+        server_name  one.example.org;
+
+        ssl_certificate      /etc/prosody/certs/one.example.org.crt;
+        ssl_certificate_key  /etc/prosody/certs/one.example.org.key;
+
+        location = /.well-known/host-meta {
+            default_type application/xrd+xml;
+            return 200 '<?xml version="1.0" encoding="UTF-8"?><XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0"><Link rel="urn:xmpp:alt-connections:s2s-websocket" href="wss://xp1.example.org:5281/xmpp-websocket"/><Link rel="urn:xmpp:alt-connections:websocket" href="wss://xp1.example.org:5281/xmpp-websocket"/></XRD>';
+        }
+    }
+
+}

integration/23-s2s-websocket-host-meta/nginx2.conf

@@ -0,0 +1,25 @@
+daemon off;
+worker_processes  1;
+error_log stderr;
+
+events {
+    worker_connections  32;
+}
+
+http {
+    access_log /dev/stdout;
+
+    server {
+        listen       443 ssl;
+        server_name  two.example.org;
+
+        ssl_certificate      /etc/prosody/certs/two.example.org.crt;
+        ssl_certificate_key  /etc/prosody/certs/two.example.org.key;
+
+        location = /.well-known/host-meta {
+            default_type application/xrd+xml;
+            return 200 '<?xml version="1.0" encoding="UTF-8"?><XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0"><Link rel="urn:xmpp:alt-connections:s2s-websocket" href="wss://xp2.example.org:5281/xmpp-websocket"/><Link rel="urn:xmpp:alt-connections:websocket" href="wss://xp2.example.org:5281/xmpp-websocket"/></XRD>';
+        }
+    }
+
+}

integration/23-s2s-websocket-host-meta/prosody1.cfg.lua

@@ -0,0 +1,251 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "192.5.0.40", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.40"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/23-s2s-websocket-host-meta/prosody2.cfg.lua

@@ -0,0 +1,251 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "192.5.0.50", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.50"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/23-s2s-websocket-host-meta/xmpp-proxy1.toml

@@ -0,0 +1,42 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ "0.0.0.0:5281" ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:15270" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.20:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.20:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/xp1.example.org.key"
+tls_cert = "/etc/prosody/certs/xp1.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/23-s2s-websocket-host-meta/xmpp-proxy2.toml

@@ -0,0 +1,42 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ "0.0.0.0:5281" ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:15270" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.30:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.30:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/xp2.example.org.key"
+tls_cert = "/etc/prosody/certs/xp2.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/23-s2s-websocket-host-meta/xmpp-proxy3.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:5222" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "127.0.0.1:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "127.0.0.1:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/certs/rsa/one.example.org.key"
+tls_cert = "/etc/certs/rsa/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/24-s2s-websocket-host-meta-json/example.org.zone

@@ -0,0 +1,23 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+xp1             IN      A       192.5.0.40
+xp2             IN      A       192.5.0.50
+xp3             IN      A       192.5.0.60
+web1            IN      A       192.5.0.70
+web2            IN      A       192.5.0.80
+
+one    IN      CNAME   web1
+two    IN      CNAME   web2
+
+scansion.one    IN      CNAME   xp3
+scansion.two    IN      CNAME   xp3

integration/24-s2s-websocket-host-meta-json/nginx1.conf

@@ -0,0 +1,25 @@
+daemon off;
+worker_processes  1;
+error_log stderr;
+
+events {
+    worker_connections  32;
+}
+
+http {
+    access_log /dev/stdout;
+
+    server {
+        listen       443 ssl;
+        server_name  one.example.org;
+
+        ssl_certificate      /etc/prosody/certs/one.example.org.crt;
+        ssl_certificate_key  /etc/prosody/certs/one.example.org.key;
+        
+        location = /.well-known/host-meta.json {
+            default_type application/json;
+            return 200 '{"links":[{"rel":"urn:xmpp:alt-connections:s2s-websocket","href":"wss://xp1.example.org:5281/xmpp-websocket"}, {"rel":"urn:xmpp:alt-connections:websocket","href":"wss://xp1.example.org:5281/xmpp-websocket"}]}';
+        }
+    }
+
+}

integration/24-s2s-websocket-host-meta-json/nginx2.conf

@@ -0,0 +1,25 @@
+daemon off;
+worker_processes  1;
+error_log stderr;
+
+events {
+    worker_connections  32;
+}
+
+http {
+    access_log /dev/stdout;
+
+    server {
+        listen       443 ssl;
+        server_name  two.example.org;
+
+        ssl_certificate      /etc/prosody/certs/two.example.org.crt;
+        ssl_certificate_key  /etc/prosody/certs/two.example.org.key;
+        
+        location = /.well-known/host-meta.json {
+            default_type application/json;
+            return 200 '{"links":[{"rel":"urn:xmpp:alt-connections:s2s-websocket","href":"wss://xp2.example.org:5281/xmpp-websocket"}, {"rel":"urn:xmpp:alt-connections:websocket","href":"wss://xp2.example.org:5281/xmpp-websocket"}]}';
+        }
+    }
+
+}

integration/24-s2s-websocket-host-meta-json/prosody1.cfg.lua

@@ -0,0 +1,251 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "192.5.0.40", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.40"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/24-s2s-websocket-host-meta-json/prosody2.cfg.lua

@@ -0,0 +1,251 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "192.5.0.50", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.50"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/24-s2s-websocket-host-meta-json/xmpp-proxy1.toml

@@ -0,0 +1,42 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ "0.0.0.0:5281" ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:15270" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.20:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.20:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/xp1.example.org.key"
+tls_cert = "/etc/prosody/certs/xp1.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/24-s2s-websocket-host-meta-json/xmpp-proxy2.toml

@@ -0,0 +1,42 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ "0.0.0.0:5281" ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:15270" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.30:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.30:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/xp2.example.org.key"
+tls_cert = "/etc/prosody/certs/xp2.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/24-s2s-websocket-host-meta-json/xmpp-proxy3.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:5222" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "127.0.0.1:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "127.0.0.1:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/certs/rsa/one.example.org.key"
+tls_cert = "/etc/certs/rsa/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/Dockerfile

@@ -35,18 +35,22 @@ FROM base
 
 COPY --from=build /build/*/*.pkg.tar* /tmp/
 
-RUN pacman -S --noconfirm --disable-download-timeout --needed bind prosody lua52-sec nss mkcert curl && \
+RUN pacman -S --noconfirm --disable-download-timeout --needed bind nginx prosody lua52-sec nss mkcert curl && \
     pacman -U --noconfirm --needed /tmp/*.pkg.tar* && rm -f /tmp/*.pkg.tar* && \
     mkdir -p /opt/xmpp-proxy/prosody-modules/ /opt/prosody-modules/ /scansion && mkcert -install && \
     mkdir -p /etc/certs/ecdsa && cd /etc/certs/ecdsa && \
     mkcert -ecdsa -cert-file one.example.org.crt -key-file one.example.org.key one.example.org && \
     mkcert -ecdsa -cert-file two.example.org.crt -key-file two.example.org.key two.example.org && \
+    mkcert -ecdsa -cert-file xp1.example.org.crt -key-file xp1.example.org.key xp1.example.org && \
+    mkcert -ecdsa -cert-file xp2.example.org.crt -key-file xp2.example.org.key xp2.example.org && \
     mkcert -ecdsa -cert-file wildcard.crt        -key-file wildcard.key        '*.example.org' && \
     cp wildcard.crt legacy_ssl.crt && cp wildcard.key legacy_ssl.key && \
     cp wildcard.crt https.crt      && cp wildcard.key https.key && \
     mkdir -p /etc/certs/rsa && cd /etc/certs/rsa && \
     mkcert        -cert-file one.example.org.crt -key-file one.example.org.key one.example.org && \
     mkcert        -cert-file two.example.org.crt -key-file two.example.org.key two.example.org && \
+    mkcert        -cert-file xp1.example.org.crt -key-file xp1.example.org.key xp1.example.org && \
+    mkcert        -cert-file xp2.example.org.crt -key-file xp2.example.org.key xp2.example.org && \
     mkcert        -cert-file wildcard.crt        -key-file wildcard.key        '*.example.org' && \
     cp wildcard.crt legacy_ssl.crt && cp wildcard.key legacy_ssl.key && \
     cp wildcard.crt https.crt      && cp wildcard.key https.key && \

integration/test.sh

@@ -6,7 +6,7 @@ ipv4='192.5.0'
 # change to this directory
 cd -P -- "$(dirname -- "${BASH_SOURCE[0]}")"
 
-usage() { echo "Usage: $0 [-i 192.5.0] [-d] [-r] [-b]" 1>&2; exit 1; }
+usage() { echo "Usage: $0 [-i 192.5.0] [-d] [-r] [-b] [-n]" 1>&2; exit 1; }
 
 build=0
 build_args=''
@@ -14,7 +14,7 @@ img='xmpp-proxy-test'
 xmpp_proxy_bind=''
 run_blocked=0
 ecdsa=0
-while getopts ":i:drbe" o; do
+while getopts ":i:drben" o; do
     case "${o}" in
         i)
             ipv4=${OPTARG}
@@ -36,6 +36,10 @@ while getopts ":i:drbe" o; do
         b)
             run_blocked=1
             ;;
+        n)
+            podman image rm -f "$img" "$img-dev" "$img-dev-ecdsa"
+            exit $?
+            ;;
         *)
             usage
             ;;
@@ -75,8 +79,8 @@ run_container() {
 
 cleanup() {
     set +e
-    podman stop -i -t 0 dns server1 server2 xp1 xp2 xp3 scansion
-    podman rm -f dns server1 server2 xp1 xp2 xp3 scansion
+    podman stop -i -t 0 dns server1 server2 xp1 xp2 xp3 web1 web2 scansion
+    podman rm -f dns server1 server2 xp1 xp2 xp3 web1 web2 scansion
     # this shuts down all containers first too, handy!
     podman network rm -f xmpp-proxy-net4
     set -e
@@ -100,6 +104,8 @@ run_test() {
     [ -f ./xmpp-proxy1.toml ] && run_container -d $xmpp_proxy_bind -v ./xmpp-proxy1.toml:/etc/xmpp-proxy/xmpp-proxy.toml:ro 40 xp1 xmpp-proxy
     [ -f ./xmpp-proxy2.toml ] && run_container -d $xmpp_proxy_bind -v ./xmpp-proxy2.toml:/etc/xmpp-proxy/xmpp-proxy.toml:ro 50 xp2 xmpp-proxy
     [ -f ./xmpp-proxy3.toml ] && run_container -d $xmpp_proxy_bind -v ./xmpp-proxy3.toml:/etc/xmpp-proxy/xmpp-proxy.toml:ro 60 xp3 xmpp-proxy
+    [ -f ./nginx1.conf ] && run_container -d -v ./nginx1.conf:/etc/nginx/nginx.conf:ro 70 web1 nginx
+    [ -f ./nginx2.conf ] && run_container -d -v ./nginx2.conf:/etc/nginx/nginx.conf:ro 80 web2 nginx
 
     # we don't care if these fail
     set +e
@@ -110,9 +116,9 @@ run_test() {
     set -e
 
     # run the actual tests
-    run_container 99 scansion scansion -d /scansion/
+    run_container 90 scansion scansion -d /scansion/
     # juliet_messages_romeo.scs  juliet_presence.scs  romeo_messages_juliet.scs  romeo_presence.scs
-    #run_container 99 scansion scansion /scansion/juliet_presence.scs /scansion/romeo_presence.scs
+    #run_container 90 scansion scansion /scansion/juliet_presence.scs /scansion/romeo_presence.scs
 
     cleanup
     )

src/srv.rs

@@ -30,7 +30,7 @@ pub enum XmppConnectionType {
     #[cfg(feature = "quic")]
     QUIC,
     #[cfg(feature = "websocket")]
-    WebSocket(Uri, String),
+    WebSocket(Uri, String, bool),
 }
 
 #[derive(Debug)]
@@ -75,7 +75,7 @@ impl XmppConnection {
                 },
                 #[cfg(feature = "websocket")]
                 // todo: when websocket is found via DNS, we need to validate cert against domain, *not* target, this is a security problem with XEP-0156, we are doing it the secure but likely unexpected way here for now
-                XmppConnectionType::WebSocket(ref url, ref origin) => match crate::websocket_connect(to_addr, domain, url, origin, is_c2s).await {
+                XmppConnectionType::WebSocket(ref url, ref origin, ref secure) => match crate::websocket_connect(to_addr, if *secure { &self.target } else { domain }, url, origin, is_c2s).await {
                     Ok((wr, rd)) => return Ok((wr, rd, to_addr, "websocket-out")),
                     Err(e) => error!("websocket connection failed to IP {} from TXT {}, error: {}", to_addr, url, e),
                 },
@@ -102,46 +102,58 @@ fn collect_srvs(ret: &mut Vec<XmppConnection>, srv_records: std::result::Result<
 }
 
 #[cfg(feature = "websocket")]
-fn collect_txts(ret: &mut Vec<XmppConnection>, txt_records: std::result::Result<TxtLookup, ResolveError>, is_c2s: bool) {
+fn wss_to_srv(url: &str, secure: bool) -> Option<XmppConnection> {
+    let url = match Uri::try_from(url) {
+        Ok(url) => url,
+        Err(e) => {
+            debug!("invalid URL record '{}': {}", url, e);
+            return None;
+        }
+    };
+    let server_name = match url.host() {
+        Some(server_name) => server_name.to_string(),
+        None => {
+            debug!("invalid URL record '{}'", url);
+            return None;
+        }
+    };
+    let target = server_name.clone().to_string();
+
+    let mut origin = "https://".to_string();
+    origin.push_str(&server_name);
+    let port = if let Some(port) = url.port() {
+        origin.push(':');
+        origin.push_str(port.as_str());
+        port.as_u16()
+    } else {
+        443
+    };
+    Some(XmppConnection {
+        conn_type: XmppConnectionType::WebSocket(url, origin, secure),
+        priority: u16::MAX,
+        weight: 0,
+        port,
+        target,
+    })
+}
+
+#[cfg(feature = "websocket")]
+fn collect_txts(ret: &mut Vec<XmppConnection>, secure_urls: Vec<String>, txt_records: std::result::Result<TxtLookup, ResolveError>, is_c2s: bool) {
     if let Ok(txt_records) = txt_records {
         for txt in txt_records.iter() {
             for txt in txt.iter() {
                 // we only support wss and not ws (insecure) on purpose
                 if txt.starts_with(if is_c2s { b"_xmpp-client-websocket=wss://" } else { b"_xmpp-server-websocket=wss://" }) {
                     // 23 is the length of "_xmpp-client-websocket=" and "_xmpp-server-websocket="
-                    let url = &txt[23..];
-                    let url = match Uri::try_from(url) {
-                        Ok(url) => url,
-                        Err(e) => {
-                            debug!("invalid TXT record '{}', {}", to_str(txt), e);
-                            continue;
+                    if let Ok(url) = String::from_utf8(txt[23..].to_vec()) {
+                        if !secure_urls.contains(&url) {
+                            if let Some(srv) = wss_to_srv(&url, false) {
+                                ret.push(srv);
+                            }
                         }
-                    };
-                    let server_name = match url.host() {
-                        Some(server_name) => server_name.to_string(),
-                        None => {
-                            debug!("invalid TXT record '{}'", to_str(txt));
-                            continue;
-                        }
-                    };
-                    let target = server_name.clone().to_string();
-
-                    let mut origin = "https://".to_string();
-                    origin.push_str(&server_name);
-                    let port = if let Some(port) = url.port() {
-                        origin.push(':');
-                        origin.push_str(port.as_str());
-                        port.as_u16()
                     } else {
-                        443
-                    };
-                    ret.push(XmppConnection {
-                        conn_type: XmppConnectionType::WebSocket(url, origin),
-                        priority: u16::MAX,
-                        weight: 0,
-                        port,
-                        target,
-                    });
+                        debug!("invalid TXT record '{}'", to_str(txt));
+                    }
                 }
             }
         }
@@ -149,10 +161,16 @@ fn collect_txts(ret: &mut Vec<XmppConnection>, txt_records: std::result::Result<
 }
 
 pub async fn get_xmpp_connections(domain: &str, is_c2s: bool) -> Result<Vec<XmppConnection>> {
-    let (starttls, direct_tls, quic, websocket) = if is_c2s {
-        ("_xmpp-client._tcp", "_xmpps-client._tcp", "_xmppq-client._udp", "_xmppconnect")
+    let (starttls, direct_tls, quic, websocket_txt, websocket_rel) = if is_c2s {
+        ("_xmpp-client._tcp", "_xmpps-client._tcp", "_xmppq-client._udp", "_xmppconnect", "urn:xmpp:alt-connections:websocket")
     } else {
-        ("_xmpp-server._tcp", "_xmpps-server._tcp", "_xmppq-server._udp", "_xmppconnect-server")
+        (
+            "_xmpp-server._tcp",
+            "_xmpps-server._tcp",
+            "_xmppq-server._udp",
+            "_xmppconnect-server",
+            "urn:xmpp:alt-connections:s2s-websocket",
+        )
     };
 
     let starttls = format!("{}.{}.", starttls, domain).into_name()?;
@@ -160,7 +178,7 @@ pub async fn get_xmpp_connections(domain: &str, is_c2s: bool) -> Result<Vec<Xmpp
     #[cfg(feature = "quic")]
     let quic = format!("{}.{}.", quic, domain).into_name()?;
     #[cfg(feature = "websocket")]
-    let websocket = format!("{}.{}.", websocket, domain).into_name()?;
+    let websocket_txt = format!("{}.{}.", websocket_txt, domain).into_name()?;
 
     // this lets them run concurrently but not in parallel, could spawn parallel tasks but... worth it ?
     // todo: don't look up websocket or quic records when they are disabled
@@ -170,14 +188,18 @@ pub async fn get_xmpp_connections(domain: &str, is_c2s: bool) -> Result<Vec<Xmpp
         //#[cfg(feature = "quic")]
         quic,
         //#[cfg(feature = "websocket")]
-        websocket,
+        websocket_txt,
+        websocket_host_meta,
+        websocket_host_meta_json,
     ) = tokio::join!(
         RESOLVER.srv_lookup(starttls),
         RESOLVER.srv_lookup(direct_tls),
         //#[cfg(feature = "quic")]
         RESOLVER.srv_lookup(quic),
         //#[cfg(feature = "websocket")]
-        RESOLVER.txt_lookup(websocket),
+        RESOLVER.txt_lookup(websocket_txt),
+        collect_host_meta(domain, websocket_rel),
+        collect_host_meta_json(domain, websocket_rel),
     );
 
     let mut ret = Vec::new();
@@ -186,7 +208,25 @@ pub async fn get_xmpp_connections(domain: &str, is_c2s: bool) -> Result<Vec<Xmpp
     #[cfg(feature = "quic")]
     collect_srvs(&mut ret, quic, XmppConnectionType::QUIC);
     #[cfg(feature = "websocket")]
-    collect_txts(&mut ret, websocket, is_c2s);
+    {
+        let mut urls = Vec::new();
+        match websocket_host_meta {
+            Ok(mut u) => urls.append(&mut u),
+            Err(e) => debug!("websocket_host_meta error for domain {}: {}", domain, e),
+        }
+        match websocket_host_meta_json {
+            Ok(mut u) => urls.append(&mut u),
+            Err(e) => debug!("websocket_host_meta_json error for domain {}: {}", domain, e),
+        }
+        urls.sort();
+        urls.dedup();
+        for url in &urls {
+            if let Some(url) = wss_to_srv(url, true) {
+                ret.push(url);
+            }
+        }
+        collect_txts(&mut ret, urls, websocket_txt, is_c2s);
+    }
     ret.sort_by(|a, b| a.priority.cmp(&b.priority));
     // todo: do something with weight
 
@@ -262,20 +302,78 @@ pub async fn srv_connect(domain: &str, is_c2s: bool, stream_open: &[u8], in_filt
     bail!("all connection attempts failed")
 }
 
+#[cfg(feature = "websocket")]
+async fn collect_host_meta_json(domain: &str, rel: &str) -> Result<Vec<String>> {
+    #[derive(Deserialize)]
+    struct HostMeta {
+        links: Vec<Link>,
+    }
+    #[derive(Deserialize)]
+    struct Link {
+        rel: String,
+        href: String,
+    }
+
+    let url = format!("https://{}/.well-known/host-meta.json", domain);
+    let resp = reqwest::get(&url).await?;
+    if resp.status().is_success() {
+        let resp = resp.json::<HostMeta>().await?;
+        // we will only support wss:// (TLS) not ws:// (plain text)
+        Ok(resp.links.iter().filter(|l| l.rel == rel && l.href.starts_with("wss://")).map(|l| l.href.clone()).collect())
+    } else {
+        bail!("failed with status code {} for url {}", resp.status(), url)
+    }
+}
+
+#[cfg(feature = "websocket")]
+async fn parse_host_meta(rel: &str, bytes: &[u8]) -> Result<Vec<String>> {
+    let mut vec = Vec::new();
+    let mut stanza_reader = StanzaReader(bytes.as_ref());
+    let mut filter = StanzaFilter::new(8192);
+    while let Some((stanza, eoft)) = stanza_reader.next_eoft(&mut filter).await? {
+        if stanza.starts_with(b"<XRD") || stanza.starts_with(b"<xrd") {
+            // now we are to the Links
+            let stanza = (&stanza[eoft..]).clone();
+            let mut stanza_reader = StanzaReader(stanza);
+            let mut filter = StanzaFilter::new(4096);
+            while let Ok(Some(stanza)) = stanza_reader.next(&mut filter).await {
+                if stanza.contains_seq(rel.as_bytes()) {
+                    for needle in [b"='wss://", b"=\"wss://"] {
+                        if let Ok(idx) = stanza.first_index_of(needle) {
+                            let stanza = &stanza[idx + 2..];
+                            if let Ok(idx) = stanza.first_index_of(&needle[1..2]) {
+                                vec.push(String::from_utf8(stanza[..idx].to_vec())?);
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+    Ok(vec)
+}
+
+#[cfg(feature = "websocket")]
+async fn collect_host_meta(domain: &str, rel: &str) -> Result<Vec<String>> {
+    let url = format!("https://{}/.well-known/host-meta", domain);
+    let resp = reqwest::get(&url).await?;
+    if resp.status().is_success() {
+        parse_host_meta(rel, resp.bytes().await?.as_ref()).await
+    } else {
+        bail!("failed with status code {} for url {}", resp.status(), url)
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use crate::srv::*;
 
-    #[tokio::test]
+    //#[tokio::test]
     async fn srv() -> Result<()> {
         let domain = "burtrum.org";
         let is_c2s = true;
         for srv in get_xmpp_connections(domain, is_c2s).await? {
             println!("trying 1 domain {}, SRV: {:?}", domain, srv);
-            #[cfg(feature = "websocket")]
-            if srv.conn_type == XmppConnectionType::WebSocket {
-                continue;
-            }
             let ips = RESOLVER.lookup_ip(srv.target.clone()).await?;
             for ip in ips.iter() {
                 println!("trying domain {}, ip {}, is_c2s: {}, SRV: {:?}", domain, ip, is_c2s, srv);
@@ -283,4 +381,38 @@ mod tests {
         }
         Ok(())
     }
+
+    #[cfg(feature = "websocket")]
+    //#[tokio::test]
+    async fn http() -> Result<()> {
+        let hosts = collect_host_meta_json("burtrum.org", "urn:xmpp:alt-connections:websocket").await?;
+        println!("{:?}", hosts);
+        let hosts = collect_host_meta("burtrum.org", "urn:xmpp:alt-connections:websocket").await?;
+        println!("{:?}", hosts);
+        Ok(())
+    }
+
+    #[cfg(feature = "websocket")]
+    #[tokio::test]
+    async fn test_parse_host_meta() -> Result<()> {
+        let xrd = br#"<XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'><Link rel='urn:xmpp:alt-connections:xbosh' href='https://burtrum.org/http-bind'/><Link rel='urn:xmpp:alt-connections:websocket' href='wss://burtrum.org/xmpp-websocket'/></XRD>"#;
+        assert_eq!(parse_host_meta("urn:xmpp:alt-connections:websocket", xrd).await?, vec!["wss://burtrum.org/xmpp-websocket"]);
+
+        let xrd = br#"<XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0"><Link rel="urn:xmpp:alt-connections:xbosh" href="https://burtrum.org/http-bind"/><Link rel="urn:xmpp:alt-connections:websocket" href="wss://burtrum.org/xmpp-websocket"/></XRD>"#;
+        assert_eq!(parse_host_meta("urn:xmpp:alt-connections:websocket", xrd).await?, vec!["wss://burtrum.org/xmpp-websocket"]);
+
+        let xrd = br#"<xrd xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'><link rel='urn:xmpp:alt-connections:xbosh' href='https://burtrum.org/http-bind'/><link rel='urn:xmpp:alt-connections:websocket' href='wss://burtrum.org/xmpp-websocket'/></xrd>"#;
+        assert_eq!(parse_host_meta("urn:xmpp:alt-connections:websocket", xrd).await?, vec!["wss://burtrum.org/xmpp-websocket"]);
+
+        let xrd = br#"<xrd xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0"><link rel="urn:xmpp:alt-connections:xbosh" href="https://burtrum.org/http-bind"/><link rel="urn:xmpp:alt-connections:websocket" href="wss://burtrum.org/xmpp-websocket"/></xrd>"#;
+        assert_eq!(parse_host_meta("urn:xmpp:alt-connections:websocket", xrd).await?, vec!["wss://burtrum.org/xmpp-websocket"]);
+
+        let xrd = br#"<xrd xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0"><link rel="urn:xmpp:alt-connections:xbosh" href="https://burtrum.org/http-bind"/><link rel="urn:xmpp:alt-connections:websocket" href="wss://burtrum.org/xmpp-websocket"/><link rel="urn:xmpp:alt-connections:s2s-websocket" href="wss://burtrum.org/xmpp-websocket-s2s"/></xrd>"#;
+        assert_eq!(parse_host_meta("urn:xmpp:alt-connections:s2s-websocket", xrd).await?, vec!["wss://burtrum.org/xmpp-websocket-s2s"]);
+
+        let xrd = br#"<xrd xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0"><link rel="urn:xmpp:alt-connections:xbosh" href="https://burtrum.org/http-bind"/><link rel="urn:xmpp:alt-connections:websocket" href="wss://burtrum.org/xmpp-websocket"/><link rel="urn:xmpp:alt-connections:s2s-websocket" href="wss://burtrum.org/xmpp-websocket-s2s"/></xrd>"#;
+        assert_eq!(parse_host_meta("urn:xmpp:alt-connections:websocket", xrd).await?, vec!["wss://burtrum.org/xmpp-websocket"]);
+
+        Ok(())
+    }
 }

src/websocket.rs

@@ -128,13 +128,13 @@ mod tests {
     fn test_from_ws() {
         assert_eq!(
             from_ws(r#"<open xmlns="urn:ietf:params:xml:ns:xmpp-framing" version="1.0" to="test.moparisthe.best" xml:lang="en" />"#.to_string()),
-            r#"<?xml version='1.0'?><stream:stream xmlns="jabber:client" version="1.0" to="test.moparisthe.best" xml:lang="en"  xmlns:stream="http://etherx.jabber.org/streams">"#.to_string()
+            r#"<stream:stream xmlns="jabber:client" version="1.0" to="test.moparisthe.best" xml:lang="en"  xmlns:stream="http://etherx.jabber.org/streams">"#.to_string()
         );
         assert_eq!(from_ws(r#"<close xmlns="urn:ietf:params:xml:ns:xmpp-framing" />"#.to_string()), r#"</stream:stream>"#.to_string());
 
         assert_eq!(
             from_ws(r#"<open to='one.example.org' xmlns='urn:ietf:params:xml:ns:xmpp-framing' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'/>"#.to_string()),
-            r#"<?xml version='1.0'?><stream:stream to='one.example.org' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>"#.to_string()
+            r#"<stream:stream to='one.example.org' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>"#.to_string()
         );
     }