XMPP Server - Prosody
This ties into the following wishlist items:
These are the three "main" XMPP servers out there (with Snikket being a simplified deploment of Prosody). I think most of the people making these requests don't actually care which server is used - as long as it has the common modules, like roster, OMEMO encryption, file upload, etc.
I have chosen to package Prosody over the others because:
- OpenFire - I know nothing about it
- ejabberd - It's what is running on my server and the configuration for it is a pain
- Snikket - it's TOO simple, not giving us options to configure things
While Prosody does have its own docker image, I started from a different one because it has a sensible set of defaults baked in, is easy to extend, and is making use of environment variables for a lot of the configuration. Since Cloudron can inject environment variables with addons, I thought it would be easy to map Cloudron's environment variables to the ones expected by this container.
Here's where I'm at:
Addons being used:
- tls - The app needs the certs to secure information on a number of ports other than HTTP
- ldap - I want to do SSO
- storage - The app needs to store data for message history, uploads, etc.
Upon install I'm getting an error related to me trying to create the cert structure described here: https://github.com/SaraSmiseth/prosody/tree/dev#ssl-certificates
mkdir: cannot create directory '/usr/local/etc/prosody/certs/upload.xmpp.domain.tld': Read-only file system
My plan for managing the SSL certs was to have the entrypoint script create the directory structure required by the app within the
/app/datafolder, copy the certs as provided by the tls addon, and symlink that directory to the expected directory
/usr/local/var/lib/prosody. From what I've read, there are a few hard-coded things in prosody that may be difficult to change - which is why I'm trying to find a way to put the certs where it expects to find them.
So now I need some help figuring out the best way to deal with this read-only file system issue. Help would be greatly appreciated!
There's a health check module for prosody that can also serve up a status through HTTP. I am planning to use this for the required healthcheck endpoint, and since an HTTP endpoint is generally not used for this application I also want to put it behind auth. The only purpose this HTTP endpoint serves is for the mandatory health check for the Manifest.
After a lot of banging my head, not to music - but against the wall, I've made progress. I was writing files into /app/data in the Dockerfile directly, which the docs has a small footnote saying this is a bad idea. Another "great" thing is that the location prosody searches for files is hard-coded at compile time, so I had to adjust that to get it to look in the right place.
The latest code is up now. The xmpp server starts, but it's not connecting properly. I think there are some cert issues that I'll need to spend more time debugging. At this point, I think it requires more Prosody expertise than Cloudron expertise.
Ok! I've taken this as far as I can go without some support from @staff . The app launches and mostly gets its certs right. Until the certs are fully correct I can't get it to actually run, start the healthcheck endpoint, or debug the rest.
XMPP typically expects to use the primary domain, e.g.
mydomain.com. It uses SRV records to point to the specific sub-domain (if there is one) that should be used for XMPP. The reason for this is so XMPP ID's look the same as e-mails, like
firstname.lastname@example.org. This is also very convenient for XMPP that has LDAP enabled since people will type in their same username and password they do elsewhere. If you tell XMPP its domain is
xmpp.mydomain.com, then user IDs look like:
email@example.com, which isn't the same as e-mail addresses, and people often forget.
This is where the limitations come in. XMPP expects lots of sub-domains, like: upload, conference, proxy, and pubsub.mydomain.com. It also expects certs for each of these, and the primary domain.
tlsadd-on only fetches a cert for the application's sub-domain. IF you are lucky enough to use a registrar that gives you API access, then you COULD use the wildcard certificate option which will cover all the sub-domains. However, this still doesn't give you the cert for
mydomain.comwhich is required for the standard username
There are a few adjustments needed to solve these problems.
1 - The application manifest should let an application define multiple domains. If the domain registrar API is being used it should set them all up at once.
2 - The application manifest should allow getting individual certs for multiple subdomains in the event a registrar API is unavailable for a wildcard cert. The user can configure the domains, but still let Cloudron get the individual certs. The
tlsaddon should pass all of these certs through.
3 - The application manifest should allow other record types to be configured - like SRV records - so the registrar API can be used for a seamless install.
4 - The
tlsaddon should allow an application to request the primary
mydomain.comcert for cases like this.
@djxx Great write up! I have some questions:
- How should the sub-domains be configured? For example - upload, conference, proxy ... Are these a) http or tcp b) If http, are these separate http services from the parent xmpp service itself?
- About the bare domain
mydomain.com. So XMPP just needs the cert for this, but doesn't actually require any configuration as such? Meaning, no TCP or HTTP related configuration is required to what
@girish - As far as I know, all ports except 5280 don't serve HTTP - they're just TCP traffic. The 5280 port is just for some modules, one of which is a "status" module I planned to use for the required healthcheck endpoint. I did my best to put the data in the manifest file, but honestly I got the port information from here: https://github.com/SaraSmiseth/prosody#ports
As for the bare domain, yes - it just needs the cert. It won't actually communicate through this domain; It relies on SRV DNS records to point XMPP clients to the sub-domain that is actually serving XMPP: https://github.com/SaraSmiseth/prosody#dns
It's possible some of these ports and domains could be consolidated - but there will for sure be more than one domain, port, and cert needed to set XMPP up properly.
@djxx Ah ok, then this requires the platform feature to set up DNS when using TCP ports. Currently, we support this via aliases only when using HTTP.
But this shouldn't be a blocker because one can anyway put these DNS entries manually (for now, till we have all the requirements charted out).
Also, for your initial problem of not having the certs of the bare domain - just add the bare domain as an alias . You can do this by setting
"multiDomain": truein the manifest. Once you do that the tls addon should provide with the cert as well.
@girish Thanks. Does enabling multiDomain result in the cert requested from Lets Encrypt using alternate names, or does it put multiple certs into /etc/certs ? Also, is there a way to specify the multiple domains in the manifest - or does it need to be done manually after the application is set up? This could make installation difficult if we need to partially start the application, then add some domain entries, and then do another action to complete the application's setup.
https://docs.trueelena.org/self_hosting/modern_xmpp_server/index.html has some XMPP setup . I haven't read through that in close detail.