XMPP reverse proxy and outgoing proxy https://github.com/moparisthebest/xmpp-proxy
Go to file
Travis Burtrum b6150ec8d9
moparisthebest/xmpp-proxy/pipeline/head This commit looks good Details
New state InsideAttribute for StanzaFilter, more tests
2021-04-16 01:57:02 -04:00
.ci Initial commit 2021-04-13 21:59:59 -04:00
src New state InsideAttribute for StanzaFilter, more tests 2021-04-16 01:57:02 -04:00
systemd Initial commit 2021-04-13 21:59:59 -04:00
.gitignore Initial commit 2021-04-13 21:59:59 -04:00
.rustfmt.toml Initial commit 2021-04-13 21:59:59 -04:00
Cargo.lock Update Cargo.lock versions 2021-04-14 02:47:18 -04:00
Cargo.toml Initial commit 2021-04-13 21:59:59 -04:00
LICENSE.md Initial commit 2021-04-13 21:59:59 -04:00
README.md Initial commit 2021-04-13 21:59:59 -04:00
xmpp-proxy.toml Initial commit 2021-04-13 21:59:59 -04:00

README.md

xmpp-proxy

Build Status

xmpp-proxy is a reverse proxy for XMPP servers, providing STARTTLS and TLS over plain-text XMPP connections and limiting stanza sizes without an XML parser.

xmpp-proxy will listen on any number of interfaces/ports and accept any STARTTLS or Direct TLS c2s or s2s connections, terminate TLS, and connect them to a real XMPP server, limiting stanza sizes as configured.

Installation

Configuration

  • mkdir /etc/xmpp-proxy/ && cp xmpp-proxy.toml /etc/xmpp-proxy/
  • edit /etc/xmpp-proxy/xmpp-proxy.toml as needed, file is annotated clearly with comments
  • put your TLS key/cert in /etc/xmpp-proxy/, if your key has "RSA PRIVATE KEY" in it, change that to "PRIVATE KEY": sed -i 's/RSA PRIVATE KEY/PRIVATE KEY/' /etc/xmpp-proxy/le.key
  • Example systemd unit is provided in xmpp-proxy.service and locks it down with bare minimum permissions. Need to set the permissions correctly: chown -Rv 'systemd-network:' /etc/xmpp-proxy/
  • start xmpp-proxy: Usage: xmpp-proxy [/path/to/xmpp-proxy.toml (default /etc/xmpp-proxy/xmpp-proxy.toml]

How do I adapt my running Prosody config to use this instead?

Add these to modules_enabled:

"secure_interfaces";
"net_proxy";

Until prosody-modules is updated, use my patched version of mod_secure_interfaces.lua which also works for s2s.

Add this config:

-- trust connections coming from these IPs
secure_interfaces = { "127.0.0.1", "::1" }

-- handle PROXY protocol on these ports
proxy_port_mappings = {
    [15222] = "c2s",
    [15269] = "s2s"
}

-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
-- you might need to comment these out further down in your config file if you set them
c2s_ports = {}
legacy_ssl_ports = {}
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
s2s_ports = {15269}

Copy prosody's TLS key to /etc/xmpp-proxy/le.key and TLS cert to /etc/xmpp-proxy/fullchain.cer, and use the provided xmpp-proxy.toml configuration as-is.

License

GNU/AGPLv3 - Check LICENSE.md for details