Hi all,

As the title suggests, I’m trying to run an ejabberd (xmpp) server behind an nginx reverse proxy. The reason is, I want to be able to run the server on my raspberry pi at home, but have people connect to it through my VPS, which is running nginx. This would be nice because I don’t need a static ip and I don’t have to leak my ip address.

I have looked this up, but have not found an answer that works exactly for my use case.

My current nginx configuration looks like this:

stream {
	upstream xmppserver {
		server 10.8.0.3:5223;
	}

	upstream turnserver {
		server 10.8.0.3:3478;
	}

	map $ssl_preread_alpn_protocols $upstream {
		"xmpp-client" xmppserver;
		"stun.turn" turnserver;
		"stun.nat-discovery" turnserver;
	}

	server {
		listen 6969;
		proxy_pass $upstream;
		proxy_protocol on;
	}
}

And I have a DNS entry telling XMPP clients to contact my server at port 6969 (this was just for testing):

I would also need to figure out how to supply ejabberd with the correct certificates for the domain. Since it’s running on a different computer than the reverse proxy, would I have to somehow copy the certificate over every time it has to be renewed?

Thank you for your help.

  • poVoq@slrpnk.net
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    I guess this is based on this guide? https://wiki.xmpp.org/web/Tech_pages/XEP-0368

    But since you don’t actually need to multi-plex HTTP with XMPP, why not just configure port forwarding like you would do in a local network (assuming your VPS is connected to your Rasberry via a Wireguard VPN or similar)?

    For the certs you can request them again from your Rasberry easily if you use the DNS-01 method. That also allows you to get wildcard certs, which are very useful with the multiple subdomains you usually have for a XMPP service.

  • thelastknowngod
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    This would be nice because I don’t need a static ip and I don’t have to leak my ip address.

    How does the VPS know how to find your rpi?

    Could you not just use something like duck dns on a cronjob and give out that url?

    I would also need to figure out how to supply ejabberd with the correct certificates for the domain. Since it’s running on a different computer than the reverse proxy, would I have to somehow copy the certificate over every time it has to be renewed?

    Since the VPS is doing your TLS termination, you would need an encrypted tunnel of some sort. Have you considered something like Istio? That provides mTLS out of the box really… I’ve never seen it for this kind of use case but I don’t see why it wouldn’t work.

    • Ádám@discuss.tchncs.deOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      The vps communicates with the rpi through a vpn.

      I have not heard of duck dns nor lstio, but I’ll check it out when I get home.

      • thelastknowngod
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Istio is a service mesh. You basically run proxies on the vps and the rpi. The apps make calls to localhost and the proxy layer figures out the communication between each proxy.

        Duck dns is just a dynamic dns service. It gives you a stable address even if you don’t have a static ip.

        • Ádám@discuss.tchncs.deOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          How would I use that in this situation? I don’t get it. I already have a vpn set up to communicate between the two devices, and have been successfully running multiple services in this configuration for about a month. It’s just XMPP that I’m having trouble with.

          • thelastknowngod
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            It auto discovers machines/instances/VMs/containers in the mesh and figures out the secure routing on the fly. If you couldn’t ensure a consistent IP from the home address it wouldn’t matter… The service mesh would work it out.

            It is probably overkill for this project though… Something to think about…

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    DNS Domain Name Service/System
    HTTP Hypertext Transfer Protocol, the Web
    IP Internet Protocol
    SSL Secure Sockets Layer, for transparent encryption
    TLS Transport Layer Security, supersedes SSL
    VPN Virtual Private Network
    VPS Virtual Private Server (opposed to shared hosting)

    6 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.

    [Thread #136 for this sub, first seen 13th Sep 2023, 15:05] [FAQ] [Full list] [Contact] [Source code]

    • Craftkorb@feddit.de
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Adding Wikipedia page links would make this bot much more useful for those that need this information 🤔