Setup multiple jabber-domains with ssl
677 views
Skip to first unread message
Roland Ulrich
Nov 10, 2013, 9:07:52 AM11/10/13
to prosod...@googlegroups.com
I'm trying to migrate our jabber server from ejabberd to prosody. We
have five domains configured, all with there own certificate. But i have
problems to configure this setup in prosody.
I've created a virtualhost (separate file in conf.d, included by global
config) for each of this domains which contains the ssl option for that
domain. But when a client is connecting to the server, only the ssl
option from the global config file is used and skipping it in the global
config stops tls working in general...
Does someone has a hint for me how i can configure a server with
multiple jabber-domains including SSL?
Thanks,
Roli
have five domains configured, all with there own certificate. But i have
problems to configure this setup in prosody.
I've created a virtualhost (separate file in conf.d, included by global
config) for each of this domains which contains the ssl option for that
domain. But when a client is connecting to the server, only the ssl
option from the global config file is used and skipping it in the global
config stops tls working in general...
Does someone has a hint for me how i can configure a server with
multiple jabber-domains including SSL?
Thanks,
Roli
Matthew Wild
Nov 10, 2013, 10:42:13 AM11/10/13
to Prosody IM Users Group
Hi,
On 10 November 2013 14:07, Roland Ulrich <ulrich...@gmail.com> wrote:
> I'm trying to migrate our jabber server from ejabberd to prosody. We
> have five domains configured, all with there own certificate. But i have
> problems to configure this setup in prosody.
This kind of setup is pretty common, and should be straightforward.
> I've created a virtualhost (separate file in conf.d, included by global
> config) for each of this domains which contains the ssl option for that
> domain. But when a client is connecting to the server, only the ssl
> option from the global config file is used and skipping it in the global
> config stops tls working in general...
This sounds like perhaps the client is connecting to port 5223, which
is the legacy way of doing encryption. It's disabled by default in
Prosody, so check that you don't have legacy_ssl_ports in your config
file. Port 5223 will always use the global certificate.
If you don't have legacy SSL enabled, then I'm not sure what the issue
could be - perhaps paste an example host config for us?
Regards,
Matthew
On 10 November 2013 14:07, Roland Ulrich <ulrich...@gmail.com> wrote:
> I'm trying to migrate our jabber server from ejabberd to prosody. We
> have five domains configured, all with there own certificate. But i have
> problems to configure this setup in prosody.
> I've created a virtualhost (separate file in conf.d, included by global
> config) for each of this domains which contains the ssl option for that
> domain. But when a client is connecting to the server, only the ssl
> option from the global config file is used and skipping it in the global
> config stops tls working in general...
is the legacy way of doing encryption. It's disabled by default in
Prosody, so check that you don't have legacy_ssl_ports in your config
file. Port 5223 will always use the global certificate.
If you don't have legacy SSL enabled, then I'm not sure what the issue
could be - perhaps paste an example host config for us?
Regards,
Matthew
Roland Ulrich
Nov 10, 2013, 2:04:03 PM11/10/13
to prosod...@googlegroups.com
Hi Matthew
Thanks for your answer.
Thanks for your answer.
This kind of setup is pretty common, and should be straightforward.
I'm lucky to hear that ;-)
This sounds like perhaps the client is connecting to port 5223, which
is the legacy way of doing encryption. It's disabled by default in
Prosody, so check that you don't have legacy_ssl_ports in your config
file. Port 5223 will always use the global certificate.
legacy_ssl_ports is not set, only port 5222 is open for client connections:
# netstat -natp | grep lua
tcp 0 0 127.0.0.1:5347 0.0.0.0:* LISTEN 7282/lua
tcp 0 0 0.0.0.0:5222 0.0.0.0:* LISTEN 7282/lua
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 7282/lua
tcp 0 0 127.0.0.1:5582 0.0.0.0:* LISTEN 7282/lua
tcp 0 0 0.0.0.0:5269 0.0.0.0:* LISTEN 7282/lua
If you don't have legacy SSL enabled, then I'm not sure what the issue
could be - perhaps paste an example host config for us?
ok, here is how i tried to setup the ssl part:
prosody.cfg.lua:
---8<---
[...]
ssl = {
key = "/etc/prosody/certs/localhost.key";
certificate = "/etc/prosody/certs/localhost.cert";
}
[...]
Include "conf.d/*.cfg.lua"
--->8---
and here is one the five virtualhost configs:
conf.d/domain1.cfg.lua
---8<---
VirtualHost "domain1.com"
enabled = true
ssl = {
key = "/path/to/key/domain1.key";
certificate = "/path/to/cert/domain1.pem";
}
--->8---
conf.d/domain2.cfg.lua
---8<---
VirtualHost "domain2.com"
enabled = true
ssl = {
key = "/path/to/key/domain2.key";
certificate = "/path/to/cert/domain2.pem";
}
--->8---
and so on...
The prosody version is 8.1.2 (ubuntu precise). On the DNS side all domains are resolving to the same IP.
When i try to connect to the server (with psi, version 0.14), it always present the cert for localhost, regardless to which configured virtualhost i try to connect. When i remove the symlink to one of this virtualhosts, my client (psi 0.14) correctly reports that there is no domain configured.
I'm really clueless at the moment, but maybe it is only a simple thing i've missed...
Regards,
Roli
Roland Ulrich
Nov 11, 2013, 8:49:20 AM11/11/13
to prosod...@googlegroups.com
Got it... The place of the ssl option matters. In my case (and unfortunately i skipped this in my examle config) i had also two component options set.
So my full config looks like:
So my full config looks like:
ssl = {
key = "/path/to/key/domain2.key";
certificate = "/path/to/cert/domain2.pem";
}
--->8---
With this config, the configured ssl cert is never presented to the client.
When i reorder the config it works perfect:
When i reorder the config it works perfect:
---8<---
VirtualHost "domain2.com"
enabled = true
ssl = {
key = "/path/to/key/domain2.key";
certificate = "/path/to/cert/domain2.pem";
Matthew Wild
Nov 11, 2013, 9:40:14 AM11/11/13
to Prosody IM Users Group
On 11 November 2013 13:49, Roland Ulrich <ulrich...@gmail.com> wrote:
> Got it... The place of the ssl option matters. In my case (and unfortunately
> i skipped this in my examle config) i had also two component options set.
Excellent! Glad you figured it out. I was really scratching my head
> Got it... The place of the ssl option matters. In my case (and unfortunately
> i skipped this in my examle config) i had also two component options set.
over this one...
Regards,
Matthew
Reply all
Reply to author
Forward
0 new messages