├── .ci
    ├── Jenkinsfile
    └── build.sh
├── .gitattributes
├── .gitignore
├── .rustfmt.toml
├── Cargo.lock
├── Cargo.toml
├── LICENSE.md
├── README.md
├── build.rs
├── check-all-features.sh
├── contrib
    ├── host-meta
    │   ├── rfc6415.but-valid.xml
    │   ├── rfc6415.json
    │   ├── rfc6415.xml
    │   ├── xep-0156-current.json
    │   ├── xep-0156-current.xml
    │   ├── xep-0156-minimal.json
    │   ├── xep-0156-proposed-minimal.json
    │   ├── xep-0156-proposed.json
    │   ├── xml-validate.sh
    │   └── xrd-1.0-os.xsd
    ├── logo
    │   ├── xmpp_proxy_bw.svg
    │   ├── xmpp_proxy_color.png
    │   └── xmpp_proxy_color.svg
    ├── posh.sh
    ├── prosody-modules
    │   ├── mod_net_proxy.lua
    │   ├── mod_s2s_outgoing_proxy.lua
    │   └── mod_secure_interfaces.lua
    └── systemd
    │   └── xmpp-proxy.service
├── fuzz
    ├── Cargo.toml
    ├── in
    │   ├── 1.xml
    │   ├── 2.xml
    │   ├── 3.xml
    │   ├── 4.xml
    │   ├── 5.xml
    │   ├── 6.xml
    │   └── 7.xml
    ├── src
    │   └── main.rs
    └── xml.dict
├── integration
    ├── 00-no-tls
    │   ├── example.org.zone
    │   └── prosody1.cfg.lua
    ├── 01-starttls
    │   ├── example.org.zone
    │   └── prosody1.cfg.lua
    ├── 02-client-a-record-starttls
    │   ├── example.org.zone
    │   ├── prosody1.cfg.lua
    │   └── xmpp-proxy1.toml
    ├── 03-client-srv-record-starttls
    │   ├── example.org.zone
    │   ├── prosody1.cfg.lua
    │   └── xmpp-proxy1.toml
    ├── 04-client-a-record-tls
    │   ├── example.org.zone
    │   ├── prosody1.cfg.lua
    │   └── xmpp-proxy1.toml
    ├── 05-client-srv-record-tls
    │   ├── example.org.zone
    │   ├── prosody1.cfg.lua
    │   └── xmpp-proxy1.toml
    ├── 06-client-websocket
    │   ├── example.org.zone
    │   ├── prosody1.cfg.lua
    │   └── xmpp-proxy1.toml
    ├── 07-c2s-starttls
    │   ├── example.org.zone
    │   ├── prosody1.cfg.lua
    │   ├── xmpp-proxy1.toml
    │   └── xmpp-proxy3.toml
    ├── 08-c2s-tls
    │   ├── example.org.zone
    │   ├── prosody1.cfg.lua
    │   ├── xmpp-proxy1.toml
    │   └── xmpp-proxy3.toml
    ├── 09-c2s-a-record-quic
    │   ├── example.org.zone
    │   ├── prosody1.cfg.lua
    │   ├── xmpp-proxy1.toml
    │   └── xmpp-proxy3.toml
    ├── 10-client-srv-record-quic
    │   ├── example.org.zone
    │   ├── prosody1.cfg.lua
    │   ├── xmpp-proxy1.toml
    │   └── xmpp-proxy3.toml
    ├── 11-c2s-websocket
    │   ├── example.org.zone
    │   ├── prosody1.cfg.lua
    │   ├── xmpp-proxy1.toml
    │   └── xmpp-proxy3.toml
    ├── 12-s2s-a-record-starttls
    │   ├── example.org.zone
    │   ├── prosody1.cfg.lua
    │   ├── prosody2.cfg.lua
    │   ├── xmpp-proxy1.toml
    │   ├── xmpp-proxy2.toml
    │   └── xmpp-proxy3.toml
    ├── 13-s2s-srv-record-starttls
    │   ├── example.org.zone
    │   ├── prosody1.cfg.lua
    │   ├── prosody2.cfg.lua
    │   ├── xmpp-proxy1.toml
    │   ├── xmpp-proxy2.toml
    │   └── xmpp-proxy3.toml
    ├── 14-s2s-a-record-tls
    │   ├── example.org.zone
    │   ├── prosody1.cfg.lua
    │   ├── prosody2.cfg.lua
    │   ├── xmpp-proxy1.toml
    │   ├── xmpp-proxy2.toml
    │   └── xmpp-proxy3.toml
    ├── 15-s2s-srv-record-tls
    │   ├── example.org.zone
    │   ├── prosody1.cfg.lua
    │   ├── prosody2.cfg.lua
    │   ├── xmpp-proxy1.toml
    │   ├── xmpp-proxy2.toml
    │   └── xmpp-proxy3.toml
    ├── 16-s2s-a-record-quic
    │   ├── example.org.zone
    │   ├── prosody1.cfg.lua
    │   ├── prosody2.cfg.lua
    │   ├── xmpp-proxy1.toml
    │   ├── xmpp-proxy2.toml
    │   └── xmpp-proxy3.toml
    ├── 17-s2s-srv-record-quic
    │   ├── example.org.zone
    │   ├── prosody1.cfg.lua
    │   ├── prosody2.cfg.lua
    │   ├── xmpp-proxy1.toml
    │   ├── xmpp-proxy2.toml
    │   └── xmpp-proxy3.toml
    ├── 18-s2s-websocket
    │   ├── example.org.zone
    │   ├── prosody1.cfg.lua
    │   ├── prosody2.cfg.lua
    │   ├── xmpp-proxy1.toml
    │   ├── xmpp-proxy2.toml
    │   └── xmpp-proxy3.toml
    ├── 19-client-websocket-host-meta
    │   ├── example.org.zone
    │   ├── nginx1.conf
    │   ├── prosody1.cfg.lua
    │   └── xmpp-proxy1.toml
    ├── 20-client-websocket-host-meta-json
    │   ├── example.org.zone
    │   ├── nginx1.conf
    │   ├── prosody1.cfg.lua
    │   └── xmpp-proxy1.toml
    ├── 21-c2s-websocket-host-meta
    │   ├── example.org.zone
    │   ├── nginx1.conf
    │   ├── prosody1.cfg.lua
    │   ├── xmpp-proxy1.toml
    │   └── xmpp-proxy3.toml
    ├── 22-c2s-websocket-host-meta-json
    │   ├── example.org.zone
    │   ├── nginx1.conf
    │   ├── prosody1.cfg.lua
    │   ├── xmpp-proxy1.toml
    │   └── xmpp-proxy3.toml
    ├── 24-s2s-websocket-host-meta-json
    │   ├── example.org.zone
    │   ├── nginx1.conf
    │   ├── nginx2.conf
    │   ├── prosody1.cfg.lua
    │   ├── prosody2.cfg.lua
    │   ├── xmpp-proxy1.toml
    │   ├── xmpp-proxy2.toml
    │   └── xmpp-proxy3.toml
    ├── 25-s2s-sasl-external
    │   ├── example.org.zone
    │   ├── prosody1.cfg.lua
    │   ├── prosody2.cfg.lua
    │   ├── xmpp-proxy1.toml
    │   └── xmpp-proxy3.toml
    ├── 26-s2s-prosody-prosody
    │   ├── example.org.zone
    │   ├── prosody1.cfg.lua
    │   ├── prosody2.cfg.lua
    │   └── xmpp-proxy3.toml
    ├── 27-s2s-prosody-ejabberd
    │   ├── ejabberd2.yml
    │   ├── example.org.zone
    │   ├── prosody1.cfg.lua
    │   └── xmpp-proxy3.toml
    ├── 28-s2s-srv-record-starttls-no-outgoing
    │   ├── example.org.zone
    │   ├── prosody1.cfg.lua
    │   ├── prosody2.cfg.lua
    │   ├── xmpp-proxy1.toml
    │   └── xmpp-proxy2.toml
    ├── 29-webtransport-host-meta-json
    │   ├── example.org.zone
    │   ├── nginx1.conf
    │   ├── nginx2.conf
    │   ├── prosody1.cfg.lua
    │   ├── prosody2.cfg.lua
    │   ├── xmpp-proxy1.toml
    │   ├── xmpp-proxy2.toml
    │   └── xmpp-proxy3.toml
    ├── Dockerfile
    ├── juliet_messages_romeo.scs
    ├── juliet_presence.scs
    ├── named.conf
    ├── romeo_messages_juliet.scs
    ├── romeo_presence.scs
    └── test.sh
├── src
    ├── common
    │   ├── ca_roots.rs
    │   ├── certs_key.rs
    │   ├── incoming.rs
    │   ├── mod.rs
    │   ├── outgoing.rs
    │   └── stream_listener.rs
    ├── context.rs
    ├── in_out.rs
    ├── lib.rs
    ├── main.rs
    ├── outgoing.rs
    ├── quic
    │   ├── incoming.rs
    │   ├── mod.rs
    │   ├── outgoing.rs
    │   └── unix_datagram.rs
    ├── slicesubsequence.rs
    ├── srv.rs
    ├── stanzafilter.rs
    ├── systemd.rs
    ├── tls
    │   ├── incoming.rs
    │   ├── mod.rs
    │   └── outgoing.rs
    ├── verify.rs
    ├── websocket
    │   ├── incoming.rs
    │   ├── mod.rs
    │   └── outgoing.rs
    └── webtransport
    │   ├── incoming.rs
    │   ├── mod.rs
    │   └── outgoing.rs
└── xmpp-proxy.toml


/.ci/Jenkinsfile:
--------------------------------------------------------------------------------
 1 | properties(
 2 |     [
 3 |         disableConcurrentBuilds()
 4 |     ]
 5 | )
 6 | 
 7 | node('linux && docker') {
 8 |     try {
 9 |     stage('Checkout') {
10 |         //branch name from Jenkins environment variables
11 |         echo "My branch is: ${env.BRANCH_NAME}"
12 | 
13 |         // this doesn't grab tags pointing to this branch
14 |         //checkout scm
15 |         // this hack does... https://issues.jenkins.io/browse/JENKINS-45164
16 |         checkout([
17 |             $class: 'GitSCM',
18 |             branches: [[name: 'refs/heads/'+env.BRANCH_NAME]],
19 |             extensions: [[$class: 'CloneOption', noTags: false, shallow: false, depth: 0, reference: '']],
20 |             userRemoteConfigs: scm.userRemoteConfigs,
21 |         ])
22 |         sh '''
23 |         set -euxo pipefail
24 |         git checkout "$BRANCH_NAME" --
25 |         git reset --hard "origin/$BRANCH_NAME"
26 |         '''
27 |     }
28 | 
29 |     stage('Build + Deploy') {
30 |         sh '''
31 |         ./check-all-features.sh || exit 1
32 |         cargo clean
33 |         mkdir -p release
34 |         cp xmpp-proxy.toml release
35 |         curl --compressed -sL https://code.moparisthebest.com/moparisthebest/self-ci/raw/branch/master/build-ci.sh | bash
36 |         ret=$?
37 |         docker system prune -af
38 |         exit $ret
39 |         '''
40 |     }
41 | 
42 |         currentBuild.result = 'SUCCESS'
43 |     } catch (Exception err) {
44 |         currentBuild.result = 'FAILURE'
45 |     } finally {
46 |         stage('Email') {
47 |             step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'admin.jenkins@moparisthebest.com', sendToIndividuals: true])
48 |         }
49 |         deleteDir()
50 |     }
51 | }
52 | 


--------------------------------------------------------------------------------
/.ci/build.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -exo pipefail
 3 | 
 4 | echo "starting build for TARGET $TARGET"
 5 | 
 6 | export CRATE_NAME=xmpp-proxy
 7 | 
 8 | SUFFIX=""
 9 | 
10 | echo "$TARGET" | grep -E '^x86_64-pc-windows-gnu$' >/dev/null && SUFFIX=".exe"
11 | 
12 | # ring fails to compile here
13 | echo "$TARGET" | grep -E '^(s390x|powerpc|mips|riscv64gc|.*solaris$)' >/dev/null && echo "$TARGET not supported in rustls" && exit 0
14 | 
15 | # running `docker system prune -af` after these because they are roughly every 25% through and my hard drive space is limited
16 | echo "$TARGET" | grep -E  '^(armv7-unknown-linux-gnueabihf|x86_64-linux-android|mips-unknown-linux-gnu)$' >/dev/null && docker system prune -af
17 | 
18 | # mio fails to link here
19 | echo "$TARGET" | grep -E  '^x86_64-unknown-netbsd$' >/dev/null && echo "$TARGET not supported in mio" && exit 0
20 | 
21 | # build binary
22 | cross build --target $TARGET --release
23 | 
24 | # to check how they are built
25 | file "target/$TARGET/release/${CRATE_NAME}$SUFFIX"
26 | 
27 | # if this commit has a tag, upload artifact to release
28 | strip "target/$TARGET/release/${CRATE_NAME}$SUFFIX" || true # if strip fails, it's fine
29 | mkdir -p release
30 | cp "target/$TARGET/release/${CRATE_NAME}$SUFFIX" "release/${CRATE_NAME}-$TARGET$SUFFIX"
31 | 
32 | echo 'build success!'
33 | exit 0
34 | 


--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | integration/** linguist-documentation
2 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | /target/
 2 | /target
 3 | **/*.rs.bk
 4 | .idea
 5 | **/*.kate-swp
 6 | **/out/
 7 | **/core.*
 8 | fuzz/target/
 9 | *.txt
10 | conflict/
11 | *.test.toml
12 | 


--------------------------------------------------------------------------------
/.rustfmt.toml:
--------------------------------------------------------------------------------
1 | max_width = 200
2 | 


--------------------------------------------------------------------------------
/build.rs:
--------------------------------------------------------------------------------
 1 | use std::{env, fs::File, io::Write, path::Path};
 2 | 
 3 | fn main() {
 4 |     println!("cargo:rerun-if-changed=build.rs");
 5 | 
 6 |     let out_dir = env::var_os("OUT_DIR").unwrap();
 7 |     let dest_path = Path::new(&out_dir).join("version.rs");
 8 | 
 9 |     let mut w = File::create(dest_path).unwrap();
10 | 
11 |     let allowed_features = [
12 |         "c2s-incoming",
13 |         "c2s-outgoing",
14 |         "s2s-incoming",
15 |         "s2s-outgoing",
16 |         "tls",
17 |         "quic",
18 |         "websocket",
19 |         "tls-ca-roots-native",
20 |         "tls-ca-roots-bundled",
21 |         "logging",
22 |         "systemd",
23 |     ];
24 |     let optional_deps = [
25 |         "rustls",
26 |         "tokio-rustls",
27 |         "rustls-pemfile",
28 |         "quinn",
29 |         "tokio-tungstenite",
30 |         "futures-util",
31 |         "trust-dns-resolver",
32 |         "reqwest",
33 |         "lazy-static",
34 |         "rustls-native-certs",
35 |         "webpki-roots",
36 |         "env-logger",
37 |         "rand",
38 |         "nix",
39 |     ];
40 |     let mut features = Vec::new();
41 |     let mut optional = Vec::new();
42 |     for (mut key, value) in env::vars() {
43 |         //writeln!(&mut w, "{key}: {value}", ).unwrap();
44 |         if value == "1" && key.starts_with("CARGO_FEATURE_") {
45 |             let mut key = key.split_off(14).replace('_', "-");
46 |             key.make_ascii_lowercase();
47 |             if allowed_features.contains(&key.as_str()) {
48 |                 features.push(key);
49 |             } else if optional_deps.contains(&key.as_str()) {
50 |                 optional.push(key);
51 |             }
52 |         }
53 |     }
54 |     features.sort_by(|a, b| {
55 |         allowed_features
56 |             .iter()
57 |             .position(|&r| r == a)
58 |             .unwrap()
59 |             .partial_cmp(&allowed_features.iter().position(|&r| r == b).unwrap())
60 |             .unwrap()
61 |     });
62 |     optional.sort_by(|a, b| {
63 |         optional_deps
64 |             .iter()
65 |             .position(|&r| r == a)
66 |             .unwrap()
67 |             .partial_cmp(&optional_deps.iter().position(|&r| r == b).unwrap())
68 |             .unwrap()
69 |     });
70 |     let features = features.join(",");
71 |     let optional = optional.join(",");
72 | 
73 |     let name = env!("CARGO_PKG_NAME");
74 |     let version = env!("CARGO_PKG_VERSION");
75 | 
76 |     let target = env::var("TARGET").unwrap();
77 | 
78 |     writeln!(
79 |         &mut w,
80 |         "{{println!(
81 | \"{name} {version} ({target})
82 | Features: {features}
83 | Optional crates: {optional}\");}}"
84 |     )
85 |     .unwrap();
86 | }
87 | 


--------------------------------------------------------------------------------
/contrib/host-meta/rfc6415.but-valid.xml:
--------------------------------------------------------------------------------
 1 | <?xml version='1.0' encoding='UTF-8'?>
 2 | <XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'
 3 |      xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
 4 | 
 5 |     <Expires>2010-01-30T09:30:00Z</Expires>
 6 |     <Subject>http://blog.example.com/article/id/314</Subject>
 7 | 
 8 |     <Alias>http://blog.example.com/cool_new_thing</Alias>
 9 |     <Alias>http://blog.example.com/steve/article/7</Alias>
10 | 
11 |     <Property type='http://blgx.example.net/ns/version'>1.2</Property>
12 |     <Property type='http://blgx.example.net/ns/version'>1.3</Property>
13 |     <Property type='http://blgx.example.net/ns/ext' xsi:nil='true'/>
14 | 
15 |     <Link rel='author' type='text/html'
16 |           href='http://blog.example.com/author/steve'>
17 |         <Title>About the Author</Title>
18 |         <Title xml:lang='en-us'>Author Information</Title>
19 |         <Property type='http://example.com/role'>editor</Property>
20 |     </Link>
21 | 
22 |     <Link rel='author' href='http://example.com/author/john'>
23 |         <Title>The other guy</Title>
24 |         <Title>The other author</Title>
25 |     </Link>
26 | 
27 |     <Link rel='copyright'
28 |           template='http://example.com/copyright?id={uri}'/>
29 | </XRD>
30 | 


--------------------------------------------------------------------------------
/contrib/host-meta/rfc6415.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "subject": "http://blog.example.com/article/id/314",
 3 |   "expires": "2010-01-30T09:30:00Z",
 4 |   "aliases": [
 5 |     "http://blog.example.com/cool_new_thing",
 6 |     "http://blog.example.com/steve/article/7"
 7 |   ],
 8 |   "properties": {
 9 |     "http://blgx.example.net/ns/version": "1.3",
10 |     "http://blgx.example.net/ns/ext": null
11 |   },
12 |   "links": [
13 |     {
14 |       "rel": "author",
15 |       "type": "text/html",
16 |       "href": "http://blog.example.com/author/steve",
17 |       "titles": {
18 |         "default": "About the Author",
19 |         "en-us": "Author Information"
20 |       },
21 |       "properties": {
22 |         "http://example.com/role": "editor"
23 |       }
24 |     },
25 |     {
26 |       "rel": "author",
27 |       "href": "http://example.com/author/john",
28 |       "titles": {
29 |         "default": "The other author"
30 |       }
31 |     },
32 |     {
33 |       "rel": "copyright",
34 |       "template": "http://example.com/copyright?id={uri}"
35 |     }
36 |   ]
37 | }
38 | 


--------------------------------------------------------------------------------
/contrib/host-meta/rfc6415.xml:
--------------------------------------------------------------------------------
 1 | <?xml version='1.0' encoding='UTF-8'?>
 2 | <XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'
 3 |      xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
 4 | 
 5 |     <Subject>http://blog.example.com/article/id/314</Subject>
 6 |     <Expires>2010-01-30T09:30:00Z</Expires>
 7 | 
 8 |     <Alias>http://blog.example.com/cool_new_thing</Alias>
 9 |     <Alias>http://blog.example.com/steve/article/7</Alias>
10 | 
11 |     <Property type='http://blgx.example.net/ns/version'>1.2</Property>
12 |     <Property type='http://blgx.example.net/ns/version'>1.3</Property>
13 |     <Property type='http://blgx.example.net/ns/ext' xsi:nil='true'/>
14 | 
15 |     <Link rel='author' type='text/html'
16 |           href='http://blog.example.com/author/steve'>
17 |         <Title>About the Author</Title>
18 |         <Title xml:lang='en-us'>Author Information</Title>
19 |         <Property type='http://example.com/role'>editor</Property>
20 |     </Link>
21 | 
22 |     <Link rel='author' href='http://example.com/author/john'>
23 |         <Title>The other guy</Title>
24 |         <Title>The other author</Title>
25 |     </Link>
26 | 
27 |     <Link rel='copyright'
28 |           template='http://example.com/copyright?id={uri}'/>
29 | </XRD>
30 | 


--------------------------------------------------------------------------------
/contrib/host-meta/xep-0156-current.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "subject": "http://blog.example.com/article/id/314",
 3 |   "expires": "2010-01-30T09:30:00Z",
 4 |   "aliases": [
 5 |     "http://blog.example.com/cool_new_thing",
 6 |     "http://blog.example.com/steve/article/7"
 7 |   ],
 8 |   "properties": {
 9 |     "http://blgx.example.net/ns/version": "1.3",
10 |     "http://blgx.example.net/ns/ext": null
11 |   },
12 |   "links": [
13 |     {
14 |       "rel": "author",
15 |       "type": "text/html",
16 |       "href": "http://blog.example.com/author/steve",
17 |       "titles": {
18 |         "default": "About the Author",
19 |         "en-us": "Author Information"
20 |       },
21 |       "properties": {
22 |         "http://example.com/role": "editor"
23 |       }
24 |     },
25 |     {
26 |       "rel": "author",
27 |       "href": "http://example.com/author/john",
28 |       "titles": {
29 |         "default": "The other author"
30 |       }
31 |     },
32 |     {
33 |       "rel": "urn:xmpp:alt-connections:xbosh",
34 |       "href": "https://example.org/http-bind"
35 |     },
36 |     {
37 |       "rel": "urn:xmpp:alt-connections:websocket",
38 |       "href": "wss://example.org/xmpp-websocket"
39 |     },
40 |     {
41 |       "rel": "copyright",
42 |       "template": "http://example.com/copyright?id={uri}"
43 |     }
44 |   ]
45 | }
46 | 


--------------------------------------------------------------------------------
/contrib/host-meta/xep-0156-current.xml:
--------------------------------------------------------------------------------
 1 | <?xml version='1.0' encoding='UTF-8'?>
 2 | <XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'
 3 |      xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
 4 | 
 5 |     <Expires>2010-01-30T09:30:00Z</Expires>
 6 |     <Subject>http://blog.example.com/article/id/314</Subject>
 7 | 
 8 |     <Alias>http://blog.example.com/cool_new_thing</Alias>
 9 |     <Alias>http://blog.example.com/steve/article/7</Alias>
10 | 
11 |     <Property type='http://blgx.example.net/ns/version'>1.2</Property>
12 |     <Property type='http://blgx.example.net/ns/version'>1.3</Property>
13 |     <Property type='http://blgx.example.net/ns/ext' xsi:nil='true'/>
14 | 
15 |     <Link rel='author' type='text/html'
16 |           href='http://blog.example.com/author/steve'>
17 |         <Title>About the Author</Title>
18 |         <Title xml:lang='en-us'>Author Information</Title>
19 |         <Property type='http://example.com/role'>editor</Property>
20 |     </Link>
21 | 
22 |     <Link rel='author' href='http://example.com/author/john'>
23 |         <Title>The other guy</Title>
24 |         <Title>The other author</Title>
25 |     </Link>
26 | 
27 |     <Link rel='urn:xmpp:alt-connections:xbosh' href='https://example.org/http-bind'/>
28 | 
29 |     <Link rel='urn:xmpp:alt-connections:websocket' href='wss://example.org/xmpp-websocket'/>
30 | 
31 |     <Link rel='copyright'
32 |           template='http://example.com/copyright?id={uri}'/>
33 | </XRD>
34 | 


--------------------------------------------------------------------------------
/contrib/host-meta/xep-0156-minimal.json:
--------------------------------------------------------------------------------
1 | {"links":[{"rel":"urn:xmpp:alt-connections:xbosh","href":"https://example.org/http-bind"},{"rel":"urn:xmpp:alt-connections:websocket","href":"wss://example.org/xmpp-websocket"}]}
2 | 


--------------------------------------------------------------------------------
/contrib/host-meta/xep-0156-proposed-minimal.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "xmpp": {
 3 |     "ttl": 3000,
 4 |     "public-key-pins-sha-256": [
 5 |       "4/mggdlVx8A3pvHAWW5sD+qJyMtUHgiRuPjVC48N0XQ="
 6 |     ]
 7 |   },
 8 |   "links": [
 9 |     {
10 |       "rel": "urn:xmpp:alt-connections:websocket",
11 |       "href": "wss://other.example.org/xmpp-websocket",
12 |       "ips": [
13 |         "1.2.3.4",
14 |         "fd00:feed:dad:beef::1"
15 |       ],
16 |       "priority": 15,
17 |       "weight": 50,
18 |       "sni": "example.org",
19 |       "alpn": [
20 |         "h2",
21 |         "http/1.1",
22 |         "h3"
23 |       ],
24 |       "ech": "eG1wcC1jbGllbnQ="
25 |     },
26 |     {
27 |       "rel": "urn:xmpp:alt-connections:tls",
28 |       "port": 443,
29 |       "ips": [
30 |         "1.2.3.4",
31 |         "fd00:feed:dad:beef::1"
32 |       ],
33 |       "priority": 10,
34 |       "weight": 50,
35 |       "sni": "example.org",
36 |       "ech": "eG1wcC1jbGllbnQ="
37 |     },
38 |     {
39 |       "rel": "urn:xmpp:alt-connections:quic",
40 |       "port": 443,
41 |       "ips": [
42 |         "1.2.3.4",
43 |         "fd00:feed:dad:beef::1"
44 |       ],
45 |       "priority": 5,
46 |       "weight": 50,
47 |       "sni": "example.org",
48 |       "ech": "eG1wcC1jbGllbnQ="
49 |     },
50 |     {
51 |       "rel": "urn:xmpp:alt-connections:s2s-websocket",
52 |       "href": "wss://other.example.org/s2s-xmpp-websocket",
53 |       "ips": [
54 |         "1.2.3.4",
55 |         "fd00:feed:dad:beef::1"
56 |       ],
57 |       "priority": 15,
58 |       "weight": 50,
59 |       "sni": "example.org",
60 |       "ech": "eG1wcC1jbGllbnQ="
61 |     },
62 |     {
63 |       "rel": "urn:xmpp:alt-connections:s2s-tls",
64 |       "port": 443,
65 |       "ips": [
66 |         "1.2.3.4",
67 |         "fd00:feed:dad:beef::1"
68 |       ],
69 |       "priority": 10,
70 |       "weight": 50,
71 |       "sni": "example.org",
72 |       "ech": "eG1wcC1jbGllbnQ="
73 |     },
74 |     {
75 |       "rel": "urn:xmpp:alt-connections:s2s-quic",
76 |       "port": 443,
77 |       "ips": [
78 |         "1.2.3.4",
79 |         "fd00:feed:dad:beef::1"
80 |       ],
81 |       "priority": 5,
82 |       "weight": 50,
83 |       "sni": "example.org",
84 |       "ech": "eG1wcC1jbGllbnQ="
85 |     }
86 |   ]
87 | }
88 | 


--------------------------------------------------------------------------------
/contrib/host-meta/xml-validate.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | exec xmllint --noout --schema xrd-1.0-os.xsd "$1"
3 | 


--------------------------------------------------------------------------------
/contrib/logo/xmpp_proxy_color.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/moparisthebest/xmpp-proxy/37df79a9331575274d698edc344f380e02f933e4/contrib/logo/xmpp_proxy_color.png


--------------------------------------------------------------------------------
/contrib/posh.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | # these are just examples for how to grab and hash certificates for POSH
 4 | # adapted from https://curl.se/libcurl/c/CURLOPT_PINNEDPUBLICKEY.html
 5 | 
 6 | # this is for any direct TLS port like xmpps or https
 7 | openssl s_client -servername posh.badxmpp.eu -connect posh.badxmpp.eu:443 < /dev/null | sed -n "/-----BEGIN/,/-----END/p" > posh.badxmpp.eu.pem
 8 | openssl asn1parse -noout -inform pem -in posh.badxmpp.eu.pem -out posh.badxmpp.eu.der
 9 | openssl dgst -sha256 -binary posh.badxmpp.eu.der | openssl base64 | tr -d '\n' > posh.badxmpp.eu.der.sha256
10 | openssl dgst -sha512 -binary posh.badxmpp.eu.der | openssl base64 | tr -d '\n' > posh.badxmpp.eu.der.sha512
11 | 
12 | openssl base64 < posh.badxmpp.eu.der | tr -d '\n' > posh.badxmpp.eu.der.base64
13 | 
14 | # this is for any starttls xmpp port
15 | openssl s_client -starttls xmpp -name posh.badxmpp.eu -servername posh.badxmpp.eu -connect snikket2.prosody.im:5222 < /dev/null | sed -n "/-----BEGIN/,/-----END/p" > posh.badxmpp.eu.5222.pem
16 | openssl asn1parse -noout -inform pem -in posh.badxmpp.eu.5222.pem -out posh.badxmpp.eu.5222.der
17 | openssl dgst -sha256 -binary posh.badxmpp.eu.5222.der | openssl base64 | tr -d '\n' > posh.badxmpp.eu.5222.der.sha256
18 | openssl dgst -sha512 -binary posh.badxmpp.eu.5222.der | openssl base64 | tr -d '\n' > posh.badxmpp.eu.5222.der.sha512
19 | 
20 | openssl base64 < posh.badxmpp.eu.5222.der | tr -d '\n' > posh.badxmpp.eu.5222.der.base64
21 | 
22 | wget https://posh.badxmpp.eu/.well-known/posh/xmpp-server.json https://posh.badxmpp.eu/.well-known/posh/xmpp-client.json
23 | 
24 | grep . *.sha*
25 | 


--------------------------------------------------------------------------------
/contrib/prosody-modules/mod_secure_interfaces.lua:
--------------------------------------------------------------------------------
 1 | local secure_interfaces = module:get_option_set("secure_interfaces", { "127.0.0.1", "::1" });
 2 | 
 3 | local function mark_secure(event, expected_type)
 4 | 	local session = event.origin;
 5 | 	if session.type ~= expected_type then return; end
 6 | 	local socket = session.conn:socket();
 7 | 	if not socket.getsockname then
 8 | 		module:log("debug", "Unable to determine local address of incoming connection");
 9 | 		return;
10 | 	end
11 | 	local localip = socket:getsockname();
12 | 	if secure_interfaces:contains(localip) then
13 | 		module:log("debug", "Marking session from %s to %s as secure", session.ip or "[?]", localip);
14 | 		session.secure = true;
15 | 		session.conn.starttls = false;
16 | 	else
17 | 		module:log("debug", "Not marking session from %s to %s as secure", session.ip or "[?]", localip);
18 | 	end
19 | end
20 | 
21 | module:hook("stream-features", function (event)
22 | 	mark_secure(event, "c2s_unauthed");
23 | end, 25000);
24 | 
25 | module:hook("s2s-stream-features", function (event)
26 | 	mark_secure(event, "s2sin_unauthed");
27 | end, 25000);
28 | 
29 | -- todo: is this the best place to do this hook?
30 | -- this hook marks incoming s2s as secure so we offer SASL EXTERNAL on it
31 | module:hook("s2s-stream-features", function(event)
32 | 	local session, features = event.origin, event.features;
33 | 	if session.type == "s2sin_unauthed" then
34 |         module:log("debug", "marking hook session.type '%s' secure with validated cert!", session.type);
35 | 	    session.secure = true;
36 |     	session.cert_chain_status = "valid";
37 |     	session.cert_identity_status = "valid";
38 |     end
39 | end, 3000);
40 | 


--------------------------------------------------------------------------------
/contrib/systemd/xmpp-proxy.service:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=xmpp-proxy
 3 | After=network-online.target nss-lookup.target
 4 | Wants=network-online.target nss-lookup.target
 5 | StartLimitIntervalSec=0
 6 | Documentation=https://code.moparisthebest.com/moparisthebest/xmpp-proxy
 7 | Documentation=https://github.com/moparisthebest/xmpp-proxy
 8 | 
 9 | [Service]
10 | ExecStart=/usr/bin/xmpp-proxy
11 | Restart=always
12 | RestartSec=1s
13 | # anything under here isn't strictly needed, but probably good
14 | # to lock this down with the minimal permissions necessary
15 | # which are not many at all
16 | User=xmpp-proxy
17 | DynamicUser=yes
18 | ConfigurationDirectory=xmpp-proxy
19 | ConfigurationDirectoryMode=0750
20 | ProtectSystem=strict
21 | ProtectHome=true
22 | PrivateTmp=true
23 | PrivateDevices=true
24 | ProtectHostname=true
25 | ProtectKernelTunables=true
26 | ProtectKernelModules=true
27 | ProtectKernelLogs=true
28 | ProtectControlGroups=true
29 | RestrictAddressFamilies=AF_INET AF_INET6
30 | RestrictNamespaces=net
31 | LockPersonality=true
32 | MemoryDenyWriteExecute=true
33 | RestrictRealtime=true
34 | RestrictSUIDSGID=true
35 | RemoveIPC=true
36 | SystemCallArchitectures=native
37 | # these are just needed to bind to low ports
38 | CapabilityBoundingSet=CAP_NET_BIND_SERVICE
39 | AmbientCapabilities=CAP_NET_BIND_SERVICE
40 | 
41 | # this is any existing group the key/cert can be owned by
42 | # so that our random user can read them
43 | # not needed at all without TLS, can comment out
44 | # see https://github.com/systemd/systemd/issues/9535
45 | SupplementaryGroups=systemd-network
46 | 
47 | [Install]
48 | WantedBy=multi-user.target
49 | 


--------------------------------------------------------------------------------
/fuzz/Cargo.toml:
--------------------------------------------------------------------------------
 1 | [package]
 2 | name = "fuzz"
 3 | version = "0.1.0"
 4 | authors = ["moparisthebest <admin@moparisthebest.com>"]
 5 | edition = "2018"
 6 | 
 7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 8 | 
 9 | [dependencies]
10 | afl = "0.15.1"
11 | xmpp-proxy = { path = "..", default-features = false, features = [] }
12 | tokio = { version = "1.35", features = ["net", "rt", "rt-multi-thread", "macros", "io-util"] }
13 | sha256 = "1.4.0"
14 | rxml = "0.9.1"
15 | 


--------------------------------------------------------------------------------
/fuzz/in/1.xml:
--------------------------------------------------------------------------------
1 | <?xml version='1.0'?>
2 | 


--------------------------------------------------------------------------------
/fuzz/in/2.xml:
--------------------------------------------------------------------------------
1 | <element/>
2 | 


--------------------------------------------------------------------------------
/fuzz/in/3.xml:
--------------------------------------------------------------------------------
1 | <element attr="abc" attr='def'/>
2 | 


--------------------------------------------------------------------------------
/fuzz/in/4.xml:
--------------------------------------------------------------------------------
1 | <element><![CDATA[ fun ]] ]]></element>
2 | 


--------------------------------------------------------------------------------
/fuzz/in/5.xml:
--------------------------------------------------------------------------------
1 | <foo><bar/><baz><fnord/></baz></foo>
2 | 


--------------------------------------------------------------------------------
/fuzz/in/6.xml:
--------------------------------------------------------------------------------
1 | <foo>with <bar/>some<baz>content <fnord/>mixed </baz>into them</foo>
2 | 


--------------------------------------------------------------------------------
/fuzz/in/7.xml:
--------------------------------------------------------------------------------
1 | <?xml version='1.0' encoding='utf-8' ?>
2 | <foo>
3 |   <bar>&amp;</bar>
4 |   <hello xmlns="urn:xmpp"><prefix:world/></hello>
5 | </foo>
6 | 


--------------------------------------------------------------------------------
/fuzz/src/main.rs:
--------------------------------------------------------------------------------
 1 | use std::io::{Cursor, Write};
 2 | use tokio::runtime::Runtime;
 3 | use xmpp_proxy::stanzafilter::{StanzaFilter, StanzaReader};
 4 | 
 5 | fn main() {
 6 |     std::fs::create_dir_all("/tmp/afl_test_gen/").unwrap();
 7 |     afl::fuzz!(|data: &[u8]| {
 8 |         let rt = Runtime::new().unwrap();
 9 | 
10 |         rt.block_on(async {
11 |             let mut filter = StanzaFilter::new(262_144);
12 |             let mut stanza_reader = StanzaReader(Cursor::new(data));
13 |             while let Ok(Some(stanza)) = stanza_reader.next(&mut filter).await {
14 |                 let mut fp = rxml::FeedParser::default();
15 |                 let result = rxml::as_eof_flag(fp.parse_all(&mut &stanza[..], true, |_ev| {
16 |                     //println!("got event: {:?}", ev);
17 |                 }));
18 |                 // true indicates eof
19 |                 if let Ok(result) = result {
20 |                     if result {
21 |                         // wow, afl generated us valid XML, lets output it as a test case
22 |                         let fname = sha256::digest(stanza);
23 |                         if let Ok(mut file) = std::fs::OpenOptions::new()
24 |                             .read(true)
25 |                             .write(true)
26 |                             .create_new(true)
27 |                             .open("/tmp/afl_test_gen/".to_owned() + fname.as_str())
28 |                         {
29 |                             file.write_all(stanza).unwrap();
30 |                             file.sync_all().unwrap();
31 |                         }
32 |                     } else {
33 |                         // more data is required, stanzafilter should never let this happen, let's panic
34 |                         panic!("more data required?");
35 |                     }
36 |                 }
37 |             }
38 |         })
39 |     });
40 | }
41 | 


--------------------------------------------------------------------------------
/fuzz/xml.dict:
--------------------------------------------------------------------------------
 1 | #
 2 | # AFL dictionary for XML
 3 | # ----------------------
 4 | #
 5 | # Several basic syntax elements and attributes, modeled on libxml2.
 6 | #
 7 | # Created by Michal Zalewski <lcamtuf@google.com>
 8 | #
 9 | 
10 | attr_encoding=" encoding=\"1\""
11 | attr_generic=" a=\"1\""
12 | attr_href=" href=\"1\""
13 | attr_standalone=" standalone=\"no\""
14 | attr_version=" version=\"1\""
15 | attr_xml_base=" xml:base=\"1\""
16 | attr_xml_id=" xml:id=\"1\""
17 | attr_xml_lang=" xml:lang=\"1\""
18 | attr_xml_space=" xml:space=\"1\""
19 | attr_xmlns=" xmlns=\"1\""
20 | 
21 | entity_builtin="&lt;"
22 | entity_decimal="&#1;"
23 | entity_external="&a;"
24 | entity_hex="&#x1;"
25 | 
26 | string_any="ANY"
27 | string_brackets="[]"
28 | string_cdata="CDATA"
29 | string_col_fallback=":fallback"
30 | string_col_generic=":a"
31 | string_col_include=":include"
32 | string_dashes="--"
33 | string_empty="EMPTY"
34 | string_empty_dblquotes="\"\""
35 | string_empty_quotes="''"
36 | string_entities="ENTITIES"
37 | string_entity="ENTITY"
38 | string_fixed="#FIXED"
39 | string_id="ID"
40 | string_idref="IDREF"
41 | string_idrefs="IDREFS"
42 | string_implied="#IMPLIED"
43 | string_nmtoken="NMTOKEN"
44 | string_nmtokens="NMTOKENS"
45 | string_notation="NOTATION"
46 | string_parentheses="()"
47 | string_pcdata="#PCDATA"
48 | string_percent="%a"
49 | string_public="PUBLIC"
50 | string_required="#REQUIRED"
51 | string_schema=":schema"
52 | string_system="SYSTEM"
53 | string_ucs4="UCS-4"
54 | string_utf16="UTF-16"
55 | string_utf8="UTF-8"
56 | string_xmlns="xmlns:"
57 | 
58 | tag_attlist="<!ATTLIST"
59 | tag_cdata="<![CDATA["
60 | tag_close="</a>"
61 | tag_doctype="<!DOCTYPE"
62 | tag_element="<!ELEMENT"
63 | tag_entity="<!ENTITY"
64 | tag_ignore="<![IGNORE["
65 | tag_include="<![INCLUDE["
66 | tag_notation="<!NOTATION"
67 | tag_open="<a>"
68 | tag_open_close="<a />"
69 | tag_open_exclamation="<!"
70 | tag_open_q="<?"
71 | tag_sq2_close="]]>"
72 | tag_xml_q="<?xml?>"
73 | 


--------------------------------------------------------------------------------
/integration/00-no-tls/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | 
14 | scansion.one    IN      CNAME   server1
15 | scansion.two    IN      CNAME   server1
16 | 


--------------------------------------------------------------------------------
/integration/01-starttls/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | 
14 | scansion.one    IN      CNAME   server1
15 | scansion.two    IN      CNAME   server1
16 | 


--------------------------------------------------------------------------------
/integration/02-client-a-record-starttls/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1         IN      A       192.5.0.40
14 | xp2         IN      A       192.5.0.50
15 | 
16 | one    IN      CNAME   server1
17 | two    IN      CNAME   server1
18 | 
19 | scansion.one    IN      CNAME   xp1
20 | scansion.two    IN      CNAME   xp1
21 | 


--------------------------------------------------------------------------------
/integration/02-client-a-record-starttls/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/03-client-srv-record-starttls/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1         IN      A       192.5.0.40
14 | xp2         IN      A       192.5.0.50
15 | 
16 | _xmpp-client._tcp.one  IN      SRV     5   1       5555     server1
17 | _xmpp-client._tcp.two  IN      SRV     5   1       5555     server1
18 | 
19 | scansion.one    IN      CNAME   xp1
20 | scansion.two    IN      CNAME   xp1
21 | 


--------------------------------------------------------------------------------
/integration/03-client-srv-record-starttls/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/04-client-a-record-tls/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1         IN      A       192.5.0.40
14 | xp2         IN      A       192.5.0.50
15 | 
16 | one    IN      CNAME   server1
17 | two    IN      CNAME   server1
18 | 
19 | scansion.one    IN      CNAME   xp1
20 | scansion.two    IN      CNAME   xp1
21 | 


--------------------------------------------------------------------------------
/integration/04-client-a-record-tls/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/05-client-srv-record-tls/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1         IN      A       192.5.0.40
14 | xp2         IN      A       192.5.0.50
15 | 
16 | _xmpps-client._tcp.one  IN      SRV     5   1       5443     server1
17 | _xmpps-client._tcp.two  IN      SRV     5   1       5443     server1
18 | 
19 | scansion.one    IN      CNAME   xp1
20 | scansion.two    IN      CNAME   xp1
21 | 


--------------------------------------------------------------------------------
/integration/05-client-srv-record-tls/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/06-client-websocket/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1         IN      A       192.5.0.40
14 | xp2         IN      A       192.5.0.50
15 | 
16 | one    IN      CNAME   server1
17 | two    IN      CNAME   server1
18 | _xmppconnect.one     IN      TXT     "_xmpp-client-websocket=wss://one.example.org:5281/xmpp-websocket"
19 | _xmppconnect.two     IN      TXT     "_xmpp-client-websocket=wss://two.example.org:5281/xmpp-websocket"
20 | 
21 | scansion.one    IN      CNAME   xp1
22 | scansion.two    IN      CNAME   xp1
23 | 


--------------------------------------------------------------------------------
/integration/06-client-websocket/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/07-c2s-starttls/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1         IN      A       192.5.0.40
14 | xp2         IN      A       192.5.0.50
15 | xp3         IN      A       192.5.0.60
16 | 
17 | one    IN      CNAME   xp1
18 | two    IN      CNAME   xp1
19 | 
20 | scansion.one    IN      CNAME   xp3
21 | scansion.two    IN      CNAME   xp3
22 | 


--------------------------------------------------------------------------------
/integration/07-c2s-starttls/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "0.0.0.0:5222" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "192.5.0.20:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "192.5.0.20:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/prosody/certs/wildcard.key"
34 | tls_cert = "/etc/prosody/certs/wildcard.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/07-c2s-starttls/xmpp-proxy3.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/08-c2s-tls/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1         IN      A       192.5.0.40
14 | xp2         IN      A       192.5.0.50
15 | xp3         IN      A       192.5.0.60
16 | 
17 | one    IN      CNAME   xp1
18 | two    IN      CNAME   xp1
19 | 
20 | scansion.one    IN      CNAME   xp3
21 | scansion.two    IN      CNAME   xp3
22 | 


--------------------------------------------------------------------------------
/integration/08-c2s-tls/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "0.0.0.0:443" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "192.5.0.20:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "192.5.0.20:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/prosody/certs/wildcard.key"
34 | tls_cert = "/etc/prosody/certs/wildcard.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/08-c2s-tls/xmpp-proxy3.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/09-c2s-a-record-quic/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1         IN      A       192.5.0.40
14 | xp2         IN      A       192.5.0.50
15 | xp3         IN      A       192.5.0.60
16 | 
17 | one    IN      CNAME   xp1
18 | two    IN      CNAME   xp1
19 | 
20 | scansion.one    IN      CNAME   xp3
21 | scansion.two    IN      CNAME   xp3
22 | 


--------------------------------------------------------------------------------
/integration/09-c2s-a-record-quic/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ "0.0.0.0:443" ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "192.5.0.20:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "192.5.0.20:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/prosody/certs/wildcard.key"
34 | tls_cert = "/etc/prosody/certs/wildcard.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/09-c2s-a-record-quic/xmpp-proxy3.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/10-client-srv-record-quic/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1         IN      A       192.5.0.40
14 | xp2         IN      A       192.5.0.50
15 | xp3         IN      A       192.5.0.60
16 | 
17 | _xmppq-client._udp.one  IN      SRV     5   1       5443     xp1
18 | _xmppq-client._udp.two  IN      SRV     5   1       5443     xp1
19 | 
20 | scansion.one    IN      CNAME   xp3
21 | scansion.two    IN      CNAME   xp3
22 | 


--------------------------------------------------------------------------------
/integration/10-client-srv-record-quic/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ "0.0.0.0:5443" ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "192.5.0.20:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "192.5.0.20:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/prosody/certs/wildcard.key"
34 | tls_cert = "/etc/prosody/certs/wildcard.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/10-client-srv-record-quic/xmpp-proxy3.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/11-c2s-websocket/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1         IN      A       192.5.0.40
14 | xp2         IN      A       192.5.0.50
15 | xp3         IN      A       192.5.0.60
16 | 
17 | one    IN      CNAME   xp1
18 | two    IN      CNAME   xp1
19 | _xmppconnect.one     IN      TXT     "_xmpp-client-websocket=wss://one.example.org:5281/xmpp-websocket"
20 | _xmppconnect.two     IN      TXT     "_xmpp-client-websocket=wss://two.example.org:5281/xmpp-websocket"
21 | 
22 | scansion.one    IN      CNAME   xp3
23 | scansion.two    IN      CNAME   xp3
24 | 


--------------------------------------------------------------------------------
/integration/11-c2s-websocket/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "0.0.0.0:5281" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 7 | outgoing_listen = [ ]
 8 | 
 9 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
10 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
11 | 
12 | # c2s port backend XMPP server listens on
13 | c2s_target = "192.5.0.20:15222"
14 | 
15 | # s2s port backend XMPP server listens on
16 | s2s_target = "192.5.0.20:15269"
17 | 
18 | # send PROXYv1 header to backend XMPP server
19 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
20 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
21 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
22 | proxy = true
23 | 
24 | # limit incoming stanzas to this many bytes, default to ejabberd's default
25 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
26 | # xmpp-proxy will use this many bytes + 16k per connection
27 | max_stanza_size_bytes = 262_144
28 | 
29 | # TLS key/certificate valid for all your XMPP domains, PEM format
30 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
31 | tls_key = "/etc/prosody/certs/wildcard.key"
32 | tls_cert = "/etc/prosody/certs/wildcard.crt"
33 | 
34 | # configure logging, defaults are commented
35 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
36 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
37 | #log_level = "info"
38 | # for development/debugging:
39 | log_level = "info,xmpp_proxy=trace"
40 | 
41 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
42 | #log_style = "never"
43 | 


--------------------------------------------------------------------------------
/integration/11-c2s-websocket/xmpp-proxy3.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/12-s2s-a-record-starttls/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1         IN      A       192.5.0.40
14 | xp2         IN      A       192.5.0.50
15 | xp3         IN      A       192.5.0.60
16 | 
17 | one    IN      CNAME   xp1
18 | two    IN      CNAME   xp2
19 | 
20 | scansion.one    IN      CNAME   xp3
21 | scansion.two    IN      CNAME   xp3
22 | 


--------------------------------------------------------------------------------
/integration/12-s2s-a-record-starttls/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:5269" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:15270" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "192.5.0.20:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "192.5.0.20:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/prosody/certs/one.example.org.key"
34 | tls_cert = "/etc/prosody/certs/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/12-s2s-a-record-starttls/xmpp-proxy2.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:5269" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:15270" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "192.5.0.30:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "192.5.0.30:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/prosody/certs/two.example.org.key"
34 | tls_cert = "/etc/prosody/certs/two.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/12-s2s-a-record-starttls/xmpp-proxy3.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/13-s2s-srv-record-starttls/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1         IN      A       192.5.0.40
14 | xp2         IN      A       192.5.0.50
15 | xp3         IN      A       192.5.0.60
16 | 
17 | one    IN      CNAME   xp1
18 | two    IN      CNAME   xp2
19 | _xmpp-server._tcp.one  IN      SRV     5   1       52269     xp1
20 | _xmpp-server._tcp.two  IN      SRV     5   1       52269     xp2
21 | 
22 | scansion.one    IN      CNAME   xp3
23 | scansion.two    IN      CNAME   xp3
24 | 


--------------------------------------------------------------------------------
/integration/13-s2s-srv-record-starttls/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:15270" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "192.5.0.20:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "192.5.0.20:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/prosody/certs/one.example.org.key"
34 | tls_cert = "/etc/prosody/certs/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/13-s2s-srv-record-starttls/xmpp-proxy2.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:15270" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "192.5.0.30:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "192.5.0.30:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/prosody/certs/two.example.org.key"
34 | tls_cert = "/etc/prosody/certs/two.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/13-s2s-srv-record-starttls/xmpp-proxy3.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/14-s2s-a-record-tls/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1         IN      A       192.5.0.40
14 | xp2         IN      A       192.5.0.50
15 | xp3         IN      A       192.5.0.60
16 | 
17 | one    IN      CNAME   xp1
18 | two    IN      CNAME   xp2
19 | 
20 | scansion.one    IN      CNAME   xp3
21 | scansion.two    IN      CNAME   xp3
22 | 


--------------------------------------------------------------------------------
/integration/14-s2s-a-record-tls/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:443" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:15270" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "192.5.0.20:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "192.5.0.20:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/prosody/certs/one.example.org.key"
34 | tls_cert = "/etc/prosody/certs/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/14-s2s-a-record-tls/xmpp-proxy2.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:443" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:15270" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "192.5.0.30:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "192.5.0.30:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/prosody/certs/two.example.org.key"
34 | tls_cert = "/etc/prosody/certs/two.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/14-s2s-a-record-tls/xmpp-proxy3.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/15-s2s-srv-record-tls/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1         IN      A       192.5.0.40
14 | xp2         IN      A       192.5.0.50
15 | xp3         IN      A       192.5.0.60
16 | 
17 | one    IN      CNAME   xp1
18 | two    IN      CNAME   xp2
19 | _xmpps-server._tcp.one  IN      SRV     5   1       52269     xp1
20 | _xmpps-server._tcp.two  IN      SRV     5   1       52269     xp2
21 | 
22 | scansion.one    IN      CNAME   xp3
23 | scansion.two    IN      CNAME   xp3
24 | 


--------------------------------------------------------------------------------
/integration/15-s2s-srv-record-tls/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:15270" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "192.5.0.20:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "192.5.0.20:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/prosody/certs/one.example.org.key"
34 | tls_cert = "/etc/prosody/certs/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/15-s2s-srv-record-tls/xmpp-proxy2.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:15270" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "192.5.0.30:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "192.5.0.30:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/prosody/certs/two.example.org.key"
34 | tls_cert = "/etc/prosody/certs/two.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/15-s2s-srv-record-tls/xmpp-proxy3.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/16-s2s-a-record-quic/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1         IN      A       192.5.0.40
14 | xp2         IN      A       192.5.0.50
15 | xp3         IN      A       192.5.0.60
16 | 
17 | one    IN      CNAME   xp1
18 | two    IN      CNAME   xp2
19 | 
20 | scansion.one    IN      CNAME   xp3
21 | scansion.two    IN      CNAME   xp3
22 | 


--------------------------------------------------------------------------------
/integration/16-s2s-a-record-quic/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "0.0.0.0:5222" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ "0.0.0.0:443" ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:15270" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "192.5.0.20:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "192.5.0.20:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/prosody/certs/one.example.org.key"
34 | tls_cert = "/etc/prosody/certs/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/16-s2s-a-record-quic/xmpp-proxy2.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "0.0.0.0:5222" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ "0.0.0.0:443" ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:15270" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "192.5.0.30:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "192.5.0.30:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/prosody/certs/two.example.org.key"
34 | tls_cert = "/etc/prosody/certs/two.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/16-s2s-a-record-quic/xmpp-proxy3.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/17-s2s-srv-record-quic/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1         IN      A       192.5.0.40
14 | xp2         IN      A       192.5.0.50
15 | xp3         IN      A       192.5.0.60
16 | 
17 | one    IN      CNAME   xp1
18 | two    IN      CNAME   xp2
19 | _xmppq-server._udp.one  IN      SRV     5   1       52269     xp1
20 | _xmppq-server._udp.two  IN      SRV     5   1       52269     xp2
21 | 
22 | scansion.one    IN      CNAME   xp3
23 | scansion.two    IN      CNAME   xp3
24 | 


--------------------------------------------------------------------------------
/integration/17-s2s-srv-record-quic/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "0.0.0.0:5222" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ "0.0.0.0:52269" ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:15270" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "192.5.0.20:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "192.5.0.20:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/prosody/certs/one.example.org.key"
34 | tls_cert = "/etc/prosody/certs/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/17-s2s-srv-record-quic/xmpp-proxy2.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "0.0.0.0:5222" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ "0.0.0.0:52269" ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:15270" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "192.5.0.30:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "192.5.0.30:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/prosody/certs/two.example.org.key"
34 | tls_cert = "/etc/prosody/certs/two.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/17-s2s-srv-record-quic/xmpp-proxy3.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/18-s2s-websocket/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1         IN      A       192.5.0.40
14 | xp2         IN      A       192.5.0.50
15 | xp3         IN      A       192.5.0.60
16 | 
17 | one    IN      CNAME   xp1
18 | two    IN      CNAME   xp2
19 | _xmppconnect-server.one     IN      TXT     "_xmpp-server-websocket=wss://one.example.org:5281/xmpp-websocket"
20 | _xmppconnect-server.two     IN      TXT     "_xmpp-server-websocket=wss://two.example.org:5281/xmpp-websocket"
21 | 
22 | scansion.one    IN      CNAME   xp3
23 | scansion.two    IN      CNAME   xp3
24 | 


--------------------------------------------------------------------------------
/integration/18-s2s-websocket/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:5281" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 7 | outgoing_listen = [ "0.0.0.0:15270" ]
 8 | 
 9 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
10 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
11 | 
12 | # c2s port backend XMPP server listens on
13 | c2s_target = "192.5.0.20:15222"
14 | 
15 | # s2s port backend XMPP server listens on
16 | s2s_target = "192.5.0.20:15269"
17 | 
18 | # send PROXYv1 header to backend XMPP server
19 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
20 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
21 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
22 | proxy = true
23 | 
24 | # limit incoming stanzas to this many bytes, default to ejabberd's default
25 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
26 | # xmpp-proxy will use this many bytes + 16k per connection
27 | max_stanza_size_bytes = 262_144
28 | 
29 | # TLS key/certificate valid for all your XMPP domains, PEM format
30 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
31 | tls_key = "/etc/prosody/certs/one.example.org.key"
32 | tls_cert = "/etc/prosody/certs/one.example.org.crt"
33 | 
34 | # configure logging, defaults are commented
35 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
36 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
37 | #log_level = "info"
38 | # for development/debugging:
39 | log_level = "info,xmpp_proxy=trace"
40 | 
41 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
42 | #log_style = "never"
43 | 


--------------------------------------------------------------------------------
/integration/18-s2s-websocket/xmpp-proxy2.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:5281" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 7 | outgoing_listen = [ "0.0.0.0:15270" ]
 8 | 
 9 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
10 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
11 | 
12 | # c2s port backend XMPP server listens on
13 | c2s_target = "192.5.0.30:15222"
14 | 
15 | # s2s port backend XMPP server listens on
16 | s2s_target = "192.5.0.30:15269"
17 | 
18 | # send PROXYv1 header to backend XMPP server
19 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
20 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
21 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
22 | proxy = true
23 | 
24 | # limit incoming stanzas to this many bytes, default to ejabberd's default
25 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
26 | # xmpp-proxy will use this many bytes + 16k per connection
27 | max_stanza_size_bytes = 262_144
28 | 
29 | # TLS key/certificate valid for all your XMPP domains, PEM format
30 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
31 | tls_key = "/etc/prosody/certs/two.example.org.key"
32 | tls_cert = "/etc/prosody/certs/two.example.org.crt"
33 | 
34 | # configure logging, defaults are commented
35 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
36 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
37 | #log_level = "info"
38 | # for development/debugging:
39 | log_level = "info,xmpp_proxy=trace"
40 | 
41 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
42 | #log_style = "never"
43 | 


--------------------------------------------------------------------------------
/integration/18-s2s-websocket/xmpp-proxy3.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/19-client-websocket-host-meta/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1             IN      A       192.5.0.40
14 | xp2             IN      A       192.5.0.50
15 | xp3             IN      A       192.5.0.60
16 | web1            IN      A       192.5.0.70
17 | web2            IN      A       192.5.0.80
18 | 
19 | one    IN      CNAME   web1
20 | two    IN      CNAME   web1
21 | #_xmppconnect.one     IN      TXT     "_xmpp-client-websocket=wss://server1.example.org:5281/xmpp-websocket"
22 | #_xmppconnect.two     IN      TXT     "_xmpp-client-websocket=wss://server1.example.org:5281/xmpp-websocket"
23 | 
24 | scansion.one    IN      CNAME   xp1
25 | scansion.two    IN      CNAME   xp1
26 | 


--------------------------------------------------------------------------------
/integration/19-client-websocket-host-meta/nginx1.conf:
--------------------------------------------------------------------------------
 1 | daemon off;
 2 | worker_processes  1;
 3 | error_log stderr;
 4 | 
 5 | events {
 6 |     worker_connections  32;
 7 | }
 8 | 
 9 | http {
10 |     access_log /dev/stdout;
11 | 
12 |     server {
13 |         listen       443 ssl;
14 |         server_name  one.example.org two.example.org;
15 | 
16 |         ssl_certificate      /etc/prosody/certs/wildcard.crt;
17 |         ssl_certificate_key  /etc/prosody/certs/wildcard.key;
18 | 
19 |         location = /.well-known/host-meta {
20 |             default_type application/xrd+xml;
21 |             return 200 '<?xml version="1.0" encoding="UTF-8"?><XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0"><Link rel="urn:xmpp:alt-connections:websocket" href="wss://server1.example.org:5281/xmpp-websocket"/></XRD>';
22 |         }
23 |     }
24 | 
25 | }
26 | 


--------------------------------------------------------------------------------
/integration/19-client-websocket-host-meta/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/20-client-websocket-host-meta-json/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1             IN      A       192.5.0.40
14 | xp2             IN      A       192.5.0.50
15 | xp3             IN      A       192.5.0.60
16 | web1            IN      A       192.5.0.70
17 | web2            IN      A       192.5.0.80
18 | 
19 | one    IN      CNAME   web1
20 | two    IN      CNAME   web1
21 | #_xmppconnect.one     IN      TXT     "_xmpp-client-websocket=wss://server1.example.org:5281/xmpp-websocket"
22 | #_xmppconnect.two     IN      TXT     "_xmpp-client-websocket=wss://server1.example.org:5281/xmpp-websocket"
23 | 
24 | scansion.one    IN      CNAME   xp1
25 | scansion.two    IN      CNAME   xp1
26 | 


--------------------------------------------------------------------------------
/integration/20-client-websocket-host-meta-json/nginx1.conf:
--------------------------------------------------------------------------------
 1 | daemon off;
 2 | worker_processes  1;
 3 | error_log stderr;
 4 | 
 5 | events {
 6 |     worker_connections  32;
 7 | }
 8 | 
 9 | http {
10 |     access_log /dev/stdout;
11 | 
12 |     server {
13 |         listen       443 ssl;
14 |         server_name  one.example.org two.example.org;
15 | 
16 |         ssl_certificate      /etc/prosody/certs/wildcard.crt;
17 |         ssl_certificate_key  /etc/prosody/certs/wildcard.key;
18 | 
19 |         location = /.well-known/host-meta.json {
20 |             default_type application/json;
21 |             return 200 '{"links":[{"rel":"urn:xmpp:alt-connections:websocket","href":"wss://server1.example.org:5281/xmpp-websocket"}]}';
22 |         }
23 |     }
24 | 
25 | }
26 | 


--------------------------------------------------------------------------------
/integration/20-client-websocket-host-meta-json/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/prosody/certs/xp1.example.org.key"
34 | tls_cert = "/etc/prosody/certs/xp1.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/21-c2s-websocket-host-meta/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1             IN      A       192.5.0.40
14 | xp2             IN      A       192.5.0.50
15 | xp3             IN      A       192.5.0.60
16 | web1            IN      A       192.5.0.70
17 | web2            IN      A       192.5.0.80
18 | 
19 | one    IN      CNAME   web1
20 | two    IN      CNAME   web1
21 | #_xmppconnect.one     IN      TXT     "_xmpp-client-websocket=wss://one.example.org:5281/xmpp-websocket"
22 | #_xmppconnect.two     IN      TXT     "_xmpp-client-websocket=wss://two.example.org:5281/xmpp-websocket"
23 | 
24 | scansion.one    IN      CNAME   xp3
25 | scansion.two    IN      CNAME   xp3
26 | 


--------------------------------------------------------------------------------
/integration/21-c2s-websocket-host-meta/nginx1.conf:
--------------------------------------------------------------------------------
 1 | daemon off;
 2 | worker_processes  1;
 3 | error_log stderr;
 4 | 
 5 | events {
 6 |     worker_connections  32;
 7 | }
 8 | 
 9 | http {
10 |     access_log /dev/stdout;
11 | 
12 |     server {
13 |         listen       443 ssl;
14 |         server_name  one.example.org two.example.org;
15 | 
16 |         ssl_certificate      /etc/prosody/certs/wildcard.crt;
17 |         ssl_certificate_key  /etc/prosody/certs/wildcard.key;
18 | 
19 |         location = /.well-known/host-meta {
20 |             default_type application/xrd+xml;
21 |             return 200 '<?xml version="1.0" encoding="UTF-8"?><XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0"><Link rel="urn:xmpp:alt-connections:websocket" href="wss://xp1.example.org:5281/xmpp-websocket"/></XRD>';
22 |         }
23 |     }
24 | 
25 | }
26 | 


--------------------------------------------------------------------------------
/integration/21-c2s-websocket-host-meta/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "0.0.0.0:5281" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 7 | outgoing_listen = [ ]
 8 | 
 9 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
10 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
11 | 
12 | # c2s port backend XMPP server listens on
13 | c2s_target = "192.5.0.20:15222"
14 | 
15 | # s2s port backend XMPP server listens on
16 | s2s_target = "192.5.0.20:15269"
17 | 
18 | # send PROXYv1 header to backend XMPP server
19 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
20 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
21 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
22 | proxy = true
23 | 
24 | # limit incoming stanzas to this many bytes, default to ejabberd's default
25 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
26 | # xmpp-proxy will use this many bytes + 16k per connection
27 | max_stanza_size_bytes = 262_144
28 | 
29 | # TLS key/certificate valid for all your XMPP domains, PEM format
30 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
31 | tls_key = "/etc/prosody/certs/xp1.example.org.key"
32 | tls_cert = "/etc/prosody/certs/xp1.example.org.crt"
33 | 
34 | # configure logging, defaults are commented
35 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
36 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
37 | #log_level = "info"
38 | # for development/debugging:
39 | log_level = "info,xmpp_proxy=trace"
40 | 
41 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
42 | #log_style = "never"
43 | 


--------------------------------------------------------------------------------
/integration/21-c2s-websocket-host-meta/xmpp-proxy3.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/22-c2s-websocket-host-meta-json/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1             IN      A       192.5.0.40
14 | xp2             IN      A       192.5.0.50
15 | xp3             IN      A       192.5.0.60
16 | web1            IN      A       192.5.0.70
17 | web2            IN      A       192.5.0.80
18 | 
19 | one    IN      CNAME   web1
20 | two    IN      CNAME   web1
21 | #_xmppconnect.one     IN      TXT     "_xmpp-client-websocket=wss://one.example.org:5281/xmpp-websocket"
22 | #_xmppconnect.two     IN      TXT     "_xmpp-client-websocket=wss://two.example.org:5281/xmpp-websocket"
23 | 
24 | scansion.one    IN      CNAME   xp3
25 | scansion.two    IN      CNAME   xp3
26 | 


--------------------------------------------------------------------------------
/integration/22-c2s-websocket-host-meta-json/nginx1.conf:
--------------------------------------------------------------------------------
 1 | daemon off;
 2 | worker_processes  1;
 3 | error_log stderr;
 4 | 
 5 | events {
 6 |     worker_connections  32;
 7 | }
 8 | 
 9 | http {
10 |     access_log /dev/stdout;
11 | 
12 |     server {
13 |         listen       443 ssl;
14 |         server_name  one.example.org two.example.org;
15 | 
16 |         ssl_certificate      /etc/prosody/certs/wildcard.crt;
17 |         ssl_certificate_key  /etc/prosody/certs/wildcard.key;
18 | 
19 |         location = /.well-known/host-meta.json {
20 |             default_type application/json;
21 |             return 200 '{"links":[{"rel":"urn:xmpp:alt-connections:websocket","href":"wss://xp1.example.org:5281/xmpp-websocket"}]}';
22 |         }
23 |     }
24 | 
25 | }
26 | 


--------------------------------------------------------------------------------
/integration/22-c2s-websocket-host-meta-json/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "0.0.0.0:5281" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 7 | outgoing_listen = [ ]
 8 | 
 9 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
10 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
11 | 
12 | # c2s port backend XMPP server listens on
13 | c2s_target = "192.5.0.20:15222"
14 | 
15 | # s2s port backend XMPP server listens on
16 | s2s_target = "192.5.0.20:15269"
17 | 
18 | # send PROXYv1 header to backend XMPP server
19 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
20 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
21 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
22 | proxy = true
23 | 
24 | # limit incoming stanzas to this many bytes, default to ejabberd's default
25 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
26 | # xmpp-proxy will use this many bytes + 16k per connection
27 | max_stanza_size_bytes = 262_144
28 | 
29 | # TLS key/certificate valid for all your XMPP domains, PEM format
30 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
31 | tls_key = "/etc/prosody/certs/xp1.example.org.key"
32 | tls_cert = "/etc/prosody/certs/xp1.example.org.crt"
33 | 
34 | # configure logging, defaults are commented
35 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
36 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
37 | #log_level = "info"
38 | # for development/debugging:
39 | log_level = "info,xmpp_proxy=trace"
40 | 
41 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
42 | #log_style = "never"
43 | 


--------------------------------------------------------------------------------
/integration/22-c2s-websocket-host-meta-json/xmpp-proxy3.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/24-s2s-websocket-host-meta-json/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1             IN      A       192.5.0.40
14 | xp2             IN      A       192.5.0.50
15 | xp3             IN      A       192.5.0.60
16 | web1            IN      A       192.5.0.70
17 | web2            IN      A       192.5.0.80
18 | 
19 | one    IN      CNAME   web1
20 | two    IN      CNAME   web2
21 | 
22 | scansion.one    IN      CNAME   xp3
23 | scansion.two    IN      CNAME   xp3
24 | 


--------------------------------------------------------------------------------
/integration/24-s2s-websocket-host-meta-json/nginx1.conf:
--------------------------------------------------------------------------------
 1 | daemon off;
 2 | worker_processes  1;
 3 | error_log stderr;
 4 | 
 5 | events {
 6 |     worker_connections  32;
 7 | }
 8 | 
 9 | http {
10 |     access_log /dev/stdout;
11 | 
12 |     server {
13 |         listen       443 ssl;
14 |         server_name  one.example.org;
15 | 
16 |         ssl_certificate      /etc/prosody/certs/one.example.org.crt;
17 |         ssl_certificate_key  /etc/prosody/certs/one.example.org.key;
18 |         
19 |         location = /.well-known/host-meta.json {
20 |             default_type application/json;
21 |             return 200 '{
22 |                         "links": [
23 |                             {
24 |                             "rel": "urn:xmpp:alt-connections:s2s-websocket",
25 |                             "href": "wss://xp1.example.org:5281/xmpp-websocket",
26 |                             "ips": [
27 |                                 "192.5.0.40"
28 |                             ],
29 |                             "priority": 15,
30 |                             "weight": 50,
31 |                             "sni": "xp1.example.org"
32 |                             },
33 |                             {
34 |                             "rel": "urn:xmpp:alt-connections:websocket",
35 |                             "href": "wss://xp1.example.org:5281/xmpp-websocket"
36 |                             }
37 |                         ]
38 |                         }';
39 |         }
40 |     }
41 | 
42 | }
43 | 


--------------------------------------------------------------------------------
/integration/24-s2s-websocket-host-meta-json/nginx2.conf:
--------------------------------------------------------------------------------
 1 | daemon off;
 2 | worker_processes  1;
 3 | error_log stderr;
 4 | 
 5 | events {
 6 |     worker_connections  32;
 7 | }
 8 | 
 9 | http {
10 |     access_log /dev/stdout;
11 | 
12 |     server {
13 |         listen       443 ssl;
14 |         server_name  two.example.org;
15 | 
16 |         ssl_certificate      /etc/prosody/certs/two.example.org.crt;
17 |         ssl_certificate_key  /etc/prosody/certs/two.example.org.key;
18 |         
19 |         location = /.well-known/host-meta.json {
20 |             default_type application/json;
21 |             return 200 '{
22 |                         "links": [
23 |                             {
24 |                             "rel": "urn:xmpp:alt-connections:s2s-websocket",
25 |                             "href": "wss://xp2.example.org:5281/xmpp-websocket",
26 |                             "ips": [
27 |                                 "192.5.0.50"
28 |                             ],
29 |                             "priority": 15,
30 |                             "weight": 50,
31 |                             "sni": "xp2.example.org"
32 |                             },
33 |                             {
34 |                             "rel": "urn:xmpp:alt-connections:websocket",
35 |                             "href": "wss://xp2.example.org:5281/xmpp-websocket"
36 |                             }
37 |                         ]
38 |                         }';
39 |         }
40 |     }
41 | 
42 | }
43 | 


--------------------------------------------------------------------------------
/integration/24-s2s-websocket-host-meta-json/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "0.0.0.0:5281" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 7 | outgoing_listen = [ "0.0.0.0:15270" ]
 8 | 
 9 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
10 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
11 | 
12 | # c2s port backend XMPP server listens on
13 | c2s_target = "192.5.0.20:15222"
14 | 
15 | # s2s port backend XMPP server listens on
16 | s2s_target = "192.5.0.20:15269"
17 | 
18 | # send PROXYv1 header to backend XMPP server
19 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
20 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
21 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
22 | proxy = true
23 | 
24 | # limit incoming stanzas to this many bytes, default to ejabberd's default
25 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
26 | # xmpp-proxy will use this many bytes + 16k per connection
27 | max_stanza_size_bytes = 262_144
28 | 
29 | # TLS key/certificate valid for all your XMPP domains, PEM format
30 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
31 | tls_key = "/etc/prosody/certs/xp1.example.org.key"
32 | tls_cert = "/etc/prosody/certs/xp1.example.org.crt"
33 | 
34 | # configure logging, defaults are commented
35 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
36 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
37 | #log_level = "info"
38 | # for development/debugging:
39 | log_level = "info,xmpp_proxy=trace"
40 | 
41 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
42 | #log_style = "never"
43 | 


--------------------------------------------------------------------------------
/integration/24-s2s-websocket-host-meta-json/xmpp-proxy2.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "0.0.0.0:5281" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 7 | outgoing_listen = [ "0.0.0.0:15270" ]
 8 | 
 9 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
10 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
11 | 
12 | # c2s port backend XMPP server listens on
13 | c2s_target = "192.5.0.30:15222"
14 | 
15 | # s2s port backend XMPP server listens on
16 | s2s_target = "192.5.0.30:15269"
17 | 
18 | # send PROXYv1 header to backend XMPP server
19 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
20 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
21 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
22 | proxy = true
23 | 
24 | # limit incoming stanzas to this many bytes, default to ejabberd's default
25 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
26 | # xmpp-proxy will use this many bytes + 16k per connection
27 | max_stanza_size_bytes = 262_144
28 | 
29 | # TLS key/certificate valid for all your XMPP domains, PEM format
30 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
31 | tls_key = "/etc/prosody/certs/xp2.example.org.key"
32 | tls_cert = "/etc/prosody/certs/xp2.example.org.crt"
33 | 
34 | # configure logging, defaults are commented
35 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
36 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
37 | #log_level = "info"
38 | # for development/debugging:
39 | log_level = "info,xmpp_proxy=trace"
40 | 
41 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
42 | #log_style = "never"
43 | 


--------------------------------------------------------------------------------
/integration/24-s2s-websocket-host-meta-json/xmpp-proxy3.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/25-s2s-sasl-external/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1         IN      A       192.5.0.40
14 | xp2         IN      A       192.5.0.50
15 | xp3         IN      A       192.5.0.60
16 | 
17 | one    IN      CNAME   xp1
18 | two    IN      CNAME   server2
19 | 
20 | scansion.one    IN      CNAME   xp3
21 | scansion.two    IN      CNAME   xp3
22 | 


--------------------------------------------------------------------------------
/integration/25-s2s-sasl-external/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:5269" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:15270" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "192.5.0.20:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "192.5.0.20:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/prosody/certs/one.example.org.key"
34 | tls_cert = "/etc/prosody/certs/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/25-s2s-sasl-external/xmpp-proxy3.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/26-s2s-prosody-prosody/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1         IN      A       192.5.0.40
14 | xp2         IN      A       192.5.0.50
15 | xp3         IN      A       192.5.0.60
16 | 
17 | one    IN      CNAME   server1
18 | two    IN      CNAME   server2
19 | 
20 | scansion.one    IN      CNAME   xp3
21 | scansion.two    IN      CNAME   xp3
22 | 


--------------------------------------------------------------------------------
/integration/26-s2s-prosody-prosody/xmpp-proxy3.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/27-s2s-prosody-ejabberd/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1         IN      A       192.5.0.40
14 | xp2         IN      A       192.5.0.50
15 | xp3         IN      A       192.5.0.60
16 | 
17 | one    IN      CNAME   server1
18 | two    IN      CNAME   server2
19 | 
20 | scansion.one    IN      CNAME   xp3
21 | scansion.two    IN      CNAME   xp3
22 | 


--------------------------------------------------------------------------------
/integration/27-s2s-prosody-ejabberd/xmpp-proxy3.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/28-s2s-srv-record-starttls-no-outgoing/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1         IN      A       192.5.0.40
14 | xp2         IN      A       192.5.0.50
15 | xp3         IN      A       192.5.0.60
16 | 
17 | one    IN      CNAME   xp1
18 | two    IN      CNAME   xp2
19 | _xmpp-server._tcp.one  IN      SRV     5   1       52269     xp1
20 | _xmpp-server._tcp.two  IN      SRV     5   1       52269     xp2
21 | 
22 | scansion.one    IN      CNAME   xp1
23 | scansion.two    IN      CNAME   xp2
24 | 


--------------------------------------------------------------------------------
/integration/28-s2s-srv-record-starttls-no-outgoing/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "192.5.0.20:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "192.5.0.20:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/prosody/certs/one.example.org.key"
34 | tls_cert = "/etc/prosody/certs/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/28-s2s-srv-record-starttls-no-outgoing/xmpp-proxy2.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "192.5.0.30:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "192.5.0.30:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/prosody/certs/two.example.org.key"
34 | tls_cert = "/etc/prosody/certs/two.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/29-webtransport-host-meta-json/example.org.zone:
--------------------------------------------------------------------------------
 1 | $TTL 300
 2 | ; example.org
 3 | @       IN      SOA     ns1.example.org. postmaster.example.org. (
 4 |                                         2018111111 ; Serial
 5 |                                         28800      ; Refresh
 6 |                                         1800       ; Retry
 7 |                                         604800     ; Expire - 1 week
 8 |                                         86400 )    ; Negative Cache TTL
 9 |                 IN      NS      ns1
10 | ns1             IN      A       192.5.0.10
11 | server1         IN      A       192.5.0.20
12 | server2         IN      A       192.5.0.30
13 | xp1             IN      A       192.5.0.40
14 | xp2             IN      A       192.5.0.50
15 | xp3             IN      A       192.5.0.60
16 | web1            IN      A       192.5.0.70
17 | web2            IN      A       192.5.0.80
18 | 
19 | one    IN      CNAME   web1
20 | two    IN      CNAME   web2
21 | 
22 | scansion.one    IN      CNAME   xp3
23 | scansion.two    IN      CNAME   xp3
24 | 


--------------------------------------------------------------------------------
/integration/29-webtransport-host-meta-json/nginx1.conf:
--------------------------------------------------------------------------------
 1 | daemon off;
 2 | worker_processes  1;
 3 | error_log stderr;
 4 | 
 5 | events {
 6 |     worker_connections  32;
 7 | }
 8 | 
 9 | http {
10 |     access_log /dev/stdout;
11 | 
12 |     server {
13 |         listen       443 ssl;
14 |         server_name  one.example.org;
15 | 
16 |         ssl_certificate      /etc/prosody/certs/one.example.org.crt;
17 |         ssl_certificate_key  /etc/prosody/certs/one.example.org.key;
18 |         
19 |         location = /.well-known/host-meta.json {
20 |             default_type application/json;
21 |             return 200 '{
22 |                         "links": [
23 |                             {
24 |                             "rel": "urn:xmpp:alt-connections:s2s-webtransport",
25 |                             "href": "https://xp1.example.org/xmpp-webtransport",
26 |                             "ips": [
27 |                                 "192.5.0.40"
28 |                             ],
29 |                             "priority": 15,
30 |                             "weight": 50,
31 |                             "sni": "xp1.example.org"
32 |                             },
33 |                             {
34 |                             "rel": "urn:xmpp:alt-connections:webtransport",
35 |                             "href": "https://xp1.example.org/xmpp-webtransport",
36 |                             "ips": [
37 |                                 "192.5.0.40"
38 |                             ],
39 |                             "priority": 15,
40 |                             "weight": 50,
41 |                             "sni": "xp1.example.org"
42 |                             }
43 |                         ]
44 |                         }';
45 |         }
46 |     }
47 | 
48 | }
49 | 


--------------------------------------------------------------------------------
/integration/29-webtransport-host-meta-json/nginx2.conf:
--------------------------------------------------------------------------------
 1 | daemon off;
 2 | worker_processes  1;
 3 | error_log stderr;
 4 | 
 5 | events {
 6 |     worker_connections  32;
 7 | }
 8 | 
 9 | http {
10 |     access_log /dev/stdout;
11 | 
12 |     server {
13 |         listen       443 ssl;
14 |         server_name  two.example.org;
15 | 
16 |         ssl_certificate      /etc/prosody/certs/two.example.org.crt;
17 |         ssl_certificate_key  /etc/prosody/certs/two.example.org.key;
18 |         
19 |         location = /.well-known/host-meta.json {
20 |             default_type application/json;
21 |             return 200 '{
22 |                         "links": [
23 |                             {
24 |                             "rel": "urn:xmpp:alt-connections:s2s-webtransport",
25 |                             "href": "https://xp2.example.org/xmpp-webtransport",
26 |                             "ips": [
27 |                                 "192.5.0.50"
28 |                             ],
29 |                             "priority": 15,
30 |                             "weight": 50,
31 |                             "sni": "xp2.example.org"
32 |                             },
33 |                             {
34 |                             "rel": "urn:xmpp:alt-connections:webtransport",
35 |                             "href": "https://xp2.example.org/xmpp-webtransport",
36 |                             "ips": [
37 |                                 "192.5.0.50"
38 |                             ],
39 |                             "priority": 15,
40 |                             "weight": 50,
41 |                             "sni": "xp2.example.org"
42 |                             }
43 |                         ]
44 |                         }';
45 |         }
46 |     }
47 | 
48 | }
49 | 


--------------------------------------------------------------------------------
/integration/29-webtransport-host-meta-json/xmpp-proxy1.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | # incoming_listen = [ "0.0.0.0:5281" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ "0.0.0.0:443" ]
 6 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 7 | outgoing_listen = [ "0.0.0.0:15270" ]
 8 | 
 9 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
10 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
11 | 
12 | # c2s port backend XMPP server listens on
13 | c2s_target = "192.5.0.20:15222"
14 | 
15 | # s2s port backend XMPP server listens on
16 | s2s_target = "192.5.0.20:15269"
17 | 
18 | # send PROXYv1 header to backend XMPP server
19 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
20 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
21 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
22 | proxy = true
23 | 
24 | # limit incoming stanzas to this many bytes, default to ejabberd's default
25 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
26 | # xmpp-proxy will use this many bytes + 16k per connection
27 | max_stanza_size_bytes = 262_144
28 | 
29 | # TLS key/certificate valid for all your XMPP domains, PEM format
30 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
31 | tls_key = "/etc/prosody/certs/xp1.example.org.key"
32 | tls_cert = "/etc/prosody/certs/xp1.example.org.crt"
33 | 
34 | # configure logging, defaults are commented
35 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
36 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
37 | #log_level = "info"
38 | # for development/debugging:
39 | log_level = "info,xmpp_proxy=trace"
40 | 
41 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
42 | #log_style = "never"
43 | 


--------------------------------------------------------------------------------
/integration/29-webtransport-host-meta-json/xmpp-proxy2.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | # incoming_listen = [ "0.0.0.0:5281" ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ "0.0.0.0:443" ]
 6 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 7 | outgoing_listen = [ "0.0.0.0:15270" ]
 8 | 
 9 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
10 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
11 | 
12 | # c2s port backend XMPP server listens on
13 | c2s_target = "192.5.0.30:15222"
14 | 
15 | # s2s port backend XMPP server listens on
16 | s2s_target = "192.5.0.30:15269"
17 | 
18 | # send PROXYv1 header to backend XMPP server
19 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
20 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
21 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
22 | proxy = true
23 | 
24 | # limit incoming stanzas to this many bytes, default to ejabberd's default
25 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
26 | # xmpp-proxy will use this many bytes + 16k per connection
27 | max_stanza_size_bytes = 262_144
28 | 
29 | # TLS key/certificate valid for all your XMPP domains, PEM format
30 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
31 | tls_key = "/etc/prosody/certs/xp2.example.org.key"
32 | tls_cert = "/etc/prosody/certs/xp2.example.org.crt"
33 | 
34 | # configure logging, defaults are commented
35 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
36 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
37 | #log_level = "info"
38 | # for development/debugging:
39 | log_level = "info,xmpp_proxy=trace"
40 | 
41 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
42 | #log_style = "never"
43 | 


--------------------------------------------------------------------------------
/integration/29-webtransport-host-meta-json/xmpp-proxy3.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
 3 | incoming_listen = [ ]
 4 | # interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
 5 | quic_listen = [ ]
 6 | # interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
 7 | websocket_listen = [ ]
 8 | # interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
 9 | outgoing_listen = [ "0.0.0.0:5222" ]
10 | 
11 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
12 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
13 | 
14 | # c2s port backend XMPP server listens on
15 | c2s_target = "127.0.0.1:15222"
16 | 
17 | # s2s port backend XMPP server listens on
18 | s2s_target = "127.0.0.1:15269"
19 | 
20 | # send PROXYv1 header to backend XMPP server
21 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
22 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
23 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
24 | proxy = true
25 | 
26 | # limit incoming stanzas to this many bytes, default to ejabberd's default
27 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
28 | # xmpp-proxy will use this many bytes + 16k per connection
29 | max_stanza_size_bytes = 262_144
30 | 
31 | # TLS key/certificate valid for all your XMPP domains, PEM format
32 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
33 | tls_key = "/etc/certs/rsa/one.example.org.key"
34 | tls_cert = "/etc/certs/rsa/one.example.org.crt"
35 | 
36 | # configure logging, defaults are commented
37 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
38 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
39 | #log_level = "info"
40 | # for development/debugging:
41 | log_level = "info,xmpp_proxy=trace"
42 | 
43 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
44 | #log_style = "never"
45 | 


--------------------------------------------------------------------------------
/integration/juliet_messages_romeo.scs:
--------------------------------------------------------------------------------
 1 | # Juliet messages Romeo
 2 | 
 3 | [Client] Romeo
 4 | 	jid: romeo@one.example.org
 5 | 	password: pass
 6 | 	connect_host: scansion.one.example.org
 7 | 	connect_port: 5222
 8 | 
 9 | [Client] Juliet
10 | 	jid: juliet@two.example.org
11 | 	password: pass
12 | 	connect_host: scansion.two.example.org
13 | 	connect_port: 5222
14 | 
15 | ---------
16 | 
17 | Juliet connects
18 | 
19 | Romeo connects
20 | 
21 | Juliet sends:
22 | 	<message to="${Romeo's full JID}" type="chat">
23 | 		<body>Hello Romeo!</body>
24 | 	</message>
25 | 
26 | Romeo receives:
27 | 	<message to="${Romeo's full JID}" from="${Juliet's full JID}" type="chat">
28 | 		<body>Hello Romeo!</body>
29 | 	</message>
30 | 
31 | Juliet disconnects
32 | 
33 | Romeo disconnects
34 | 


--------------------------------------------------------------------------------
/integration/juliet_presence.scs:
--------------------------------------------------------------------------------
 1 | # Juliet login and initial presence
 2 | 
 3 | [Client] Juliet
 4 | 	jid: juliet@two.example.org
 5 | 	password: pass
 6 | 	connect_host: scansion.two.example.org
 7 | 	connect_port: 5222
 8 | 
 9 | ---------
10 | 
11 | Juliet connects
12 | 
13 | Juliet sends:
14 | 	<presence/>
15 | 
16 | Juliet receives:
17 | 	<presence/>
18 | 
19 | Juliet disconnects
20 | 
21 | 


--------------------------------------------------------------------------------
/integration/named.conf:
--------------------------------------------------------------------------------
 1 | // vim:set ts=4 sw=4 et:
 2 | 
 3 | options {
 4 |     directory "/var/named";
 5 |     pid-file "/run/named/named.pid";
 6 | 
 7 |     // Uncomment these to enable IPv6 connections support
 8 |     // IPv4 will still work:
 9 |     //  listen-on-v6 { any; };
10 |     // Add this for no IPv4:
11 |     //  listen-on { none; };
12 | 
13 |     //allow-recursion { 127.0.0.1; };
14 |     allow-recursion { none; };
15 |     allow-transfer { none; };
16 |     allow-update { none; };
17 | 
18 |     version none;
19 |     hostname none;
20 |     server-id none;
21 | };
22 | 
23 | zone "localhost" IN {
24 |     type master;
25 |     file "localhost.zone";
26 | };
27 | 
28 | zone "0.0.127.in-addr.arpa" IN {
29 |     type master;
30 |     file "127.0.0.zone";
31 | };
32 | 
33 | zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
34 |     type master;
35 |     file "localhost.ip6.zone";
36 | };
37 | 
38 | zone "example.org" IN {
39 |     type master;
40 |     file "example.org.zone";
41 |     allow-update { none; };
42 |     notify no;
43 | };
44 | 
45 | //zone "example.org" IN {
46 | //    type slave;
47 | //    file "example.zone";
48 | //    masters {
49 | //        192.168.1.100;
50 | //    };
51 | //    allow-query { any; };
52 | //    allow-transfer { any; };
53 | //};
54 | 
55 | //logging {
56 | //    channel xfer-log {
57 | //        file "/var/log/named.log";
58 | //            print-category yes;
59 | //            print-severity yes;
60 | //            severity info;
61 | //        };
62 | //        category xfer-in { xfer-log; };
63 | //        category xfer-out { xfer-log; };
64 | //        category notify { xfer-log; };
65 | //};
66 | 


--------------------------------------------------------------------------------
/integration/romeo_messages_juliet.scs:
--------------------------------------------------------------------------------
 1 | # Romeo messages Juliet
 2 | 
 3 | [Client] Romeo
 4 | 	jid: romeo@one.example.org
 5 | 	password: pass
 6 | 	connect_host: scansion.one.example.org
 7 | 	connect_port: 5222
 8 | 
 9 | [Client] Juliet
10 | 	jid: juliet@two.example.org
11 | 	password: pass
12 | 	connect_host: scansion.two.example.org
13 | 	connect_port: 5222
14 | 
15 | 
16 | ---------
17 | 
18 | Romeo connects
19 | 
20 | Juliet connects
21 | 
22 | Romeo sends:
23 | 	<message to="${Juliet's full JID}" type="chat">
24 | 		<body>Hello Juliet!</body>
25 | 	</message>
26 | 
27 | Juliet receives:
28 | 	<message to="${Juliet's full JID}" from="${Romeo's full JID}" type="chat">
29 | 		<body>Hello Juliet!</body>
30 | 	</message>
31 | 
32 | Romeo disconnects
33 | 
34 | Juliet disconnects
35 | 


--------------------------------------------------------------------------------
/integration/romeo_presence.scs:
--------------------------------------------------------------------------------
 1 | # Romeo login and initial presence
 2 | 
 3 | [Client] Romeo
 4 | 	jid: romeo@one.example.org
 5 | 	password: pass
 6 | 	connect_host: scansion.one.example.org
 7 | 	connect_port: 5222
 8 | 
 9 | ---------
10 | 
11 | Romeo connects
12 | 
13 | Romeo sends:
14 | 	<presence/>
15 | 
16 | Romeo receives:
17 | 	<presence/>
18 | 
19 | Romeo disconnects
20 | 
21 | 


--------------------------------------------------------------------------------
/src/common/ca_roots.rs:
--------------------------------------------------------------------------------
 1 | #[cfg(feature = "webpki")]
 2 | use webpki::TrustAnchor;
 3 | 
 4 | #[cfg(all(feature = "webpki-roots", not(feature = "rustls-native-certs")))]
 5 | lazy_static::lazy_static! {
 6 |     pub static ref TLS_SERVER_ROOTS: &'static [TrustAnchor<'static>] = {
 7 |         let root_cert_store: &mut Box<Vec<_>> = Box::leak(Box::default());
 8 |         for ta in webpki_roots::TLS_SERVER_ROOTS {
 9 |             let ta = TrustAnchor {
10 |                 subject: ta.subject,
11 |                 spki: ta.spki,
12 |                 name_constraints: ta.name_constraints,
13 |             };
14 |             root_cert_store.push(ta);
15 |         }
16 |         root_cert_store
17 |     };
18 | }
19 | 
20 | #[cfg(all(feature = "rustls-native-certs", not(feature = "webpki-roots")))]
21 | lazy_static::lazy_static! {
22 |     pub static ref TLS_SERVER_ROOTS: &'static [TrustAnchor<'static>] = {
23 |         // we need these to stick around for 'static, this is only called once so no problem
24 |         let certs = Box::leak(Box::new(rustls_native_certs::load_native_certs().expect("could not load platform certs")));
25 |         let root_cert_store: &mut Box<Vec<_>> = Box::leak(Box::default());
26 |         for cert in certs {
27 |             // some system CAs are invalid, ignore those
28 |             if let Ok(ta) = TrustAnchor::try_from_cert_der(&cert.0) {
29 |                 root_cert_store.push(ta);
30 |             }
31 |         }
32 |         root_cert_store
33 |     };
34 | }
35 | 
36 | pub fn root_cert_store() -> rustls::RootCertStore {
37 |     use rustls::{OwnedTrustAnchor, RootCertStore};
38 |     let mut root_cert_store = RootCertStore::empty();
39 |     root_cert_store.add_trust_anchors(
40 |         TLS_SERVER_ROOTS
41 |             .iter()
42 |             .map(|ta| OwnedTrustAnchor::from_subject_spki_name_constraints(ta.subject, ta.spki, ta.name_constraints)),
43 |     );
44 |     root_cert_store
45 | }
46 | 


--------------------------------------------------------------------------------
/src/common/certs_key.rs:
--------------------------------------------------------------------------------
 1 | use std::sync::{Arc, RwLock};
 2 | 
 3 | use anyhow::Result;
 4 | use rustls::{sign::CertifiedKey, SignatureScheme};
 5 | 
 6 | pub struct CertsKey {
 7 |     #[cfg(feature = "rustls-pemfile")]
 8 |     pub inner: Result<RwLock<Arc<CertifiedKey>>>,
 9 | }
10 | 
11 | impl CertsKey {
12 |     pub fn new(certified_key: Result<CertifiedKey>) -> Self {
13 |         CertsKey {
14 |             #[cfg(feature = "rustls-pemfile")]
15 |             inner: certified_key.map(|c| RwLock::new(Arc::new(c))),
16 |         }
17 |     }
18 | }
19 | 
20 | #[cfg(feature = "rustls-pemfile")]
21 | impl rustls::server::ResolvesServerCert for CertsKey {
22 |     fn resolve(&self, _: rustls::server::ClientHello) -> Option<Arc<rustls::sign::CertifiedKey>> {
23 |         self.inner.as_ref().map(|rwl| rwl.read().expect("CertKey poisoned?").clone()).ok()
24 |     }
25 | }
26 | 
27 | #[cfg(feature = "rustls-pemfile")]
28 | impl rustls::client::ResolvesClientCert for CertsKey {
29 |     fn resolve(&self, _: &[&[u8]], _: &[SignatureScheme]) -> Option<Arc<CertifiedKey>> {
30 |         self.inner.as_ref().map(|rwl| rwl.read().expect("CertKey poisoned?").clone()).ok()
31 |     }
32 | 
33 |     fn has_certs(&self) -> bool {
34 |         self.inner.is_ok()
35 |     }
36 | }
37 | 
38 | #[cfg(not(feature = "rustls-pemfile"))]
39 | impl rustls::client::ResolvesClientCert for CertsKey {
40 |     fn resolve(&self, _: &[&[u8]], _: &[SignatureScheme]) -> Option<Arc<CertifiedKey>> {
41 |         None
42 |     }
43 | 
44 |     fn has_certs(&self) -> bool {
45 |         false
46 |     }
47 | }
48 | 


--------------------------------------------------------------------------------
/src/common/outgoing.rs:
--------------------------------------------------------------------------------
 1 | use crate::common::{certs_key::CertsKey, ALPN_XMPP_CLIENT, ALPN_XMPP_SERVER};
 2 | use rustls::{client::ServerCertVerifier, ClientConfig};
 3 | use std::sync::Arc;
 4 | use tokio_rustls::TlsConnector;
 5 | 
 6 | #[derive(Clone)]
 7 | pub struct OutgoingConfig {
 8 |     pub max_stanza_size_bytes: usize,
 9 |     pub certs_key: Arc<CertsKey>,
10 | }
11 | 
12 | impl OutgoingConfig {
13 |     pub fn with_custom_certificate_verifier(&self, is_c2s: bool, cert_verifier: Arc<dyn ServerCertVerifier>) -> OutgoingVerifierConfig {
14 |         let config = match is_c2s {
15 |             false => ClientConfig::builder()
16 |                 .with_safe_defaults()
17 |                 .with_custom_certificate_verifier(cert_verifier)
18 |                 .with_client_cert_resolver(self.certs_key.clone()),
19 |             _ => ClientConfig::builder().with_safe_defaults().with_custom_certificate_verifier(cert_verifier).with_no_client_auth(),
20 |         };
21 | 
22 |         #[cfg(feature = "webtransport")]
23 |         let config_webtransport_alpn = {
24 |             let mut config = config.clone();
25 |             config.alpn_protocols.push(webtransport_quinn::ALPN.to_vec());
26 |             Arc::new(config)
27 |         };
28 | 
29 |         let mut config_alpn = config.clone();
30 |         config_alpn.alpn_protocols.push(if is_c2s { ALPN_XMPP_CLIENT } else { ALPN_XMPP_SERVER }.to_vec());
31 | 
32 |         let config_alpn = Arc::new(config_alpn);
33 | 
34 |         let connector_alpn: TlsConnector = config_alpn.clone().into();
35 | 
36 |         let connector: TlsConnector = Arc::new(config).into();
37 | 
38 |         OutgoingVerifierConfig {
39 |             max_stanza_size_bytes: self.max_stanza_size_bytes,
40 |             #[cfg(feature = "webtransport")]
41 |             config_webtransport_alpn,
42 |             config_alpn,
43 |             connector_alpn,
44 |             connector,
45 |         }
46 |     }
47 | }
48 | 
49 | #[derive(Clone)]
50 | pub struct OutgoingVerifierConfig {
51 |     pub max_stanza_size_bytes: usize,
52 | 
53 |     #[cfg(feature = "webtransport")]
54 |     pub config_webtransport_alpn: Arc<ClientConfig>,
55 | 
56 |     pub config_alpn: Arc<ClientConfig>,
57 |     pub connector_alpn: TlsConnector,
58 | 
59 |     pub connector: TlsConnector,
60 | }
61 | 


--------------------------------------------------------------------------------
/src/lib.rs:
--------------------------------------------------------------------------------
 1 | pub mod common;
 2 | pub mod slicesubsequence;
 3 | pub mod stanzafilter;
 4 | 
 5 | #[cfg(feature = "quic")]
 6 | pub mod quic;
 7 | 
 8 | #[cfg(feature = "tls")]
 9 | pub mod tls;
10 | 
11 | #[cfg(feature = "outgoing")]
12 | pub mod outgoing;
13 | 
14 | #[cfg(any(feature = "s2s-incoming", feature = "outgoing"))]
15 | pub mod srv;
16 | 
17 | #[cfg(feature = "websocket")]
18 | pub mod websocket;
19 | 
20 | #[cfg(feature = "webtransport")]
21 | pub mod webtransport;
22 | 
23 | #[cfg(any(feature = "s2s-incoming", feature = "outgoing"))]
24 | pub mod verify;
25 | 
26 | #[cfg(all(feature = "nix", not(target_os = "windows")))]
27 | pub mod systemd;
28 | 
29 | pub mod context;
30 | pub mod in_out;
31 | 


--------------------------------------------------------------------------------
/src/outgoing.rs:
--------------------------------------------------------------------------------
 1 | use crate::{
 2 |     common::{outgoing::OutgoingConfig, shuffle_rd_wr_filter_only, stream_listener::StreamListener, stream_preamble, AsyncReadWritePeekSplit},
 3 |     context::Context,
 4 |     slicesubsequence::SliceSubsequence,
 5 |     srv::srv_connect,
 6 |     stanzafilter::StanzaFilter,
 7 | };
 8 | use anyhow::Result;
 9 | use log::{error, info};
10 | 
11 | use tokio::task::JoinHandle;
12 | 
13 | async fn handle_outgoing_connection<S: AsyncReadWritePeekSplit>(mut stream: S, client_addr: &mut Context<'_>, config: OutgoingConfig) -> Result<()> {
14 |     info!("{} connected", client_addr.log_from());
15 | 
16 |     let mut in_filter = StanzaFilter::new(config.max_stanza_size_bytes);
17 | 
18 |     #[cfg(feature = "websocket")]
19 |     let (mut in_rd, mut in_wr) = if stream.first_bytes_match(&mut in_filter.buf[0..3], |p| p == b"GET").await? {
20 |         crate::websocket::incoming_websocket_connection(Box::new(stream), config.max_stanza_size_bytes).await?
21 |     } else {
22 |         stream.stanza_rw()
23 |     };
24 | 
25 |     #[cfg(not(feature = "websocket"))]
26 |     let (mut in_rd, mut in_wr) = stream.stanza_rw();
27 | 
28 |     // now read to figure out client vs server
29 |     let (stream_open, is_c2s) = stream_preamble(&mut in_rd, &mut in_wr, client_addr.log_to(), &mut in_filter).await?;
30 |     client_addr.set_c2s_stream_open(is_c2s, &stream_open);
31 | 
32 |     // we require a valid to= here or we fail
33 |     let to = std::str::from_utf8(stream_open.extract_between(b" to='", b"'").or_else(|_| stream_open.extract_between(b" to=\"", b"\""))?)?;
34 | 
35 |     let max_stanza_size_bytes = config.max_stanza_size_bytes;
36 |     let (out_wr, out_rd, stream_open) = srv_connect(to, is_c2s, &stream_open, &mut in_filter, client_addr, config).await?;
37 |     // send server response to client
38 |     in_wr.write_all(is_c2s, &stream_open, 0, client_addr.log_from()).await?;
39 |     in_wr.flush().await?;
40 |     drop(stream_open);
41 | 
42 |     shuffle_rd_wr_filter_only(in_rd, in_wr, out_rd, out_wr, is_c2s, max_stanza_size_bytes, client_addr, in_filter).await
43 | }
44 | 
45 | pub fn spawn_outgoing_listener(listener: impl StreamListener, config: OutgoingConfig) -> JoinHandle<Result<()>> {
46 |     tokio::spawn(async move {
47 |         loop {
48 |             let (stream, client_addr) = listener.accept().await?;
49 |             let mut client_addr = Context::new("unk-out", client_addr);
50 |             let config = config.clone();
51 |             tokio::spawn(async move {
52 |                 if let Err(e) = handle_outgoing_connection(stream, &mut client_addr, config).await {
53 |                     error!("{} {}", client_addr.log_from(), e);
54 |                 }
55 |             });
56 |         }
57 |     })
58 | }
59 | 


--------------------------------------------------------------------------------
/src/quic/mod.rs:
--------------------------------------------------------------------------------
 1 | use crate::{
 2 |     common::Split,
 3 |     in_out::{StanzaRead, StanzaWrite},
 4 | };
 5 | use anyhow::bail;
 6 | use quinn::{RecvStream, SendStream};
 7 | use std::{
 8 |     io::Error,
 9 |     pin::Pin,
10 |     task::{Context, Poll},
11 | };
12 | use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
13 | 
14 | #[cfg(feature = "incoming")]
15 | pub mod incoming;
16 | 
17 | #[cfg(feature = "outgoing")]
18 | pub mod outgoing;
19 | 
20 | #[cfg(all(feature = "incoming", not(target_os = "windows")))]
21 | pub mod unix_datagram;
22 | 
23 | pub struct QuicStream {
24 |     pub send: SendStream,
25 |     pub recv: RecvStream,
26 | }
27 | 
28 | impl AsyncRead for QuicStream {
29 |     fn poll_read(mut self: Pin<&mut Self>, cx: &mut Context<'_>, buf: &mut ReadBuf<'_>) -> Poll<std::io::Result<()>> {
30 |         Pin::new(&mut self.recv).poll_read(cx, buf)
31 |     }
32 | }
33 | 
34 | impl AsyncWrite for QuicStream {
35 |     fn poll_write(mut self: Pin<&mut Self>, cx: &mut Context<'_>, buf: &[u8]) -> Poll<Result<usize, Error>> {
36 |         Pin::new(&mut self.send).poll_write(cx, buf)
37 |     }
38 | 
39 |     fn poll_flush(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<(), Error>> {
40 |         Pin::new(&mut self.send).poll_flush(cx)
41 |     }
42 | 
43 |     fn poll_shutdown(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<(), Error>> {
44 |         Pin::new(&mut self.send).poll_shutdown(cx)
45 |     }
46 | }
47 | 
48 | impl Split for QuicStream {
49 |     type ReadHalf = RecvStream;
50 |     type WriteHalf = SendStream;
51 | 
52 |     fn combine(recv: Self::ReadHalf, send: Self::WriteHalf) -> anyhow::Result<Self> {
53 |         if recv.id() != send.id() {
54 |             bail!("ids do not match")
55 |         } else {
56 |             Ok(Self { recv, send })
57 |         }
58 |     }
59 | 
60 |     fn split(self) -> (Self::ReadHalf, Self::WriteHalf) {
61 |         (self.recv, self.send)
62 |     }
63 | 
64 |     fn stanza_rw(self) -> (StanzaRead, StanzaWrite) {
65 |         (StanzaRead::new(self.recv), StanzaWrite::new(self.send))
66 |     }
67 | }
68 | 


--------------------------------------------------------------------------------
/src/quic/outgoing.rs:
--------------------------------------------------------------------------------
 1 | use std::net::SocketAddr;
 2 | 
 3 | use crate::{
 4 |     common::outgoing::OutgoingVerifierConfig,
 5 |     in_out::{StanzaRead, StanzaWrite},
 6 | };
 7 | use anyhow::Result;
 8 | use log::trace;
 9 | 
10 | pub async fn quic_connect(target: SocketAddr, server_name: &str, config: &OutgoingVerifierConfig) -> Result<(StanzaWrite, StanzaRead)> {
11 |     let bind_addr = "0.0.0.0:0".parse().unwrap();
12 |     let client_cfg = config.config_alpn.clone();
13 | 
14 |     let mut endpoint = quinn::Endpoint::client(bind_addr)?;
15 |     endpoint.set_default_client_config(quinn::ClientConfig::new(client_cfg));
16 | 
17 |     // connect to server
18 |     let connection = endpoint.connect(target, server_name)?.await?;
19 |     trace!("quic connected: addr={}", connection.remote_address());
20 | 
21 |     let (wrt, rd) = connection.open_bi().await?;
22 |     Ok((StanzaWrite::new(wrt), StanzaRead::new(rd)))
23 | }
24 | 


--------------------------------------------------------------------------------
/src/quic/unix_datagram.rs:
--------------------------------------------------------------------------------
 1 | use quinn::{udp, AsyncUdpSocket};
 2 | 
 3 | use std::{
 4 |     io,
 5 |     task::{Context, Poll},
 6 | };
 7 | use tokio::net::UnixDatagram;
 8 | 
 9 | use tokio::io::Interest;
10 | 
11 | macro_rules! ready {
12 |     ($e:expr $(,)?) => {
13 |         match $e {
14 |             std::task::Poll::Ready(t) => t,
15 |             std::task::Poll::Pending => return std::task::Poll::Pending,
16 |         }
17 |     };
18 | }
19 | 
20 | pub fn wrap_unix_udp_socket(sock: std::os::unix::net::UnixDatagram) -> io::Result<UnixUdpSocket> {
21 |     udp::UdpSocketState::configure((&sock).into())?;
22 |     Ok(UnixUdpSocket {
23 |         io: UnixDatagram::from_std(sock)?,
24 |         inner: udp::UdpSocketState::new(),
25 |     })
26 | }
27 | 
28 | #[derive(Debug)]
29 | pub struct UnixUdpSocket {
30 |     io: UnixDatagram,
31 |     inner: udp::UdpSocketState,
32 | }
33 | 
34 | impl AsyncUdpSocket for UnixUdpSocket {
35 |     fn poll_send(&self, state: &udp::UdpState, cx: &mut Context, transmits: &[udp::Transmit]) -> Poll<io::Result<usize>> {
36 |         let inner = &self.inner;
37 |         let io = &self.io;
38 |         loop {
39 |             ready!(io.poll_send_ready(cx))?;
40 |             if let Ok(res) = io.try_io(Interest::WRITABLE, || inner.send(io.into(), state, transmits)) {
41 |                 return Poll::Ready(Ok(res));
42 |             }
43 |         }
44 |     }
45 | 
46 |     fn poll_recv(&self, cx: &mut Context, bufs: &mut [std::io::IoSliceMut<'_>], meta: &mut [udp::RecvMeta]) -> Poll<io::Result<usize>> {
47 |         loop {
48 |             ready!(self.io.poll_recv_ready(cx))?;
49 |             if let Ok(res) = self.io.try_io(Interest::READABLE, || self.inner.recv((&self.io).into(), bufs, meta)) {
50 |                 return Poll::Ready(Ok(res));
51 |             }
52 |         }
53 |     }
54 | 
55 |     fn local_addr(&self) -> io::Result<std::net::SocketAddr> {
56 |         // todo: real SocketAddr
57 |         Ok("127.0.0.1:0".parse().expect("this one is hardcoded and fine"))
58 |     }
59 | 
60 |     fn may_fragment(&self) -> bool {
61 |         udp::may_fragment()
62 |     }
63 | }
64 | 


--------------------------------------------------------------------------------
/src/tls/mod.rs:
--------------------------------------------------------------------------------
1 | #[cfg(feature = "incoming")]
2 | pub mod incoming;
3 | 
4 | #[cfg(feature = "outgoing")]
5 | pub mod outgoing;
6 | 


--------------------------------------------------------------------------------
/src/tls/outgoing.rs:
--------------------------------------------------------------------------------
 1 | use crate::{
 2 |     common::{outgoing::OutgoingVerifierConfig, to_str, IN_BUFFER_SIZE},
 3 |     in_out::{StanzaRead, StanzaWrite},
 4 |     stanzafilter::{StanzaFilter, StanzaReader},
 5 | };
 6 | use anyhow::{bail, Result};
 7 | use log::{debug, trace};
 8 | use rustls::ServerName;
 9 | use std::{convert::TryFrom, net::SocketAddr};
10 | use tokio::io::AsyncWriteExt;
11 | 
12 | pub async fn tls_connect(target: SocketAddr, server_name: &str, config: &OutgoingVerifierConfig) -> Result<(StanzaWrite, StanzaRead)> {
13 |     let dnsname = ServerName::try_from(server_name)?;
14 |     let stream = tokio::net::TcpStream::connect(target).await?;
15 |     let stream = config.connector_alpn.connect(dnsname, stream).await?;
16 |     let (rd, wrt) = tokio::io::split(stream);
17 |     Ok((StanzaWrite::new(wrt), StanzaRead::new(rd)))
18 | }
19 | 
20 | pub async fn starttls_connect(target: SocketAddr, server_name: &str, stream_open: &[u8], in_filter: &mut StanzaFilter, config: &OutgoingVerifierConfig) -> Result<(StanzaWrite, StanzaRead)> {
21 |     let dnsname = ServerName::try_from(server_name)?;
22 |     let mut stream = tokio::net::TcpStream::connect(target).await?;
23 |     let (in_rd, mut in_wr) = stream.split();
24 | 
25 |     // send the stream_open
26 |     trace!("starttls sending: {} '{}'", server_name, to_str(stream_open));
27 |     in_wr.write_all(stream_open).await?;
28 |     in_wr.flush().await?;
29 | 
30 |     // we naively read 1 byte at a time, which buffering significantly speeds up
31 |     let in_rd = tokio::io::BufReader::with_capacity(IN_BUFFER_SIZE, in_rd);
32 |     let mut in_rd = StanzaReader(in_rd);
33 |     let mut proceed_received = false;
34 | 
35 |     trace!("starttls reading stream open {}", server_name);
36 |     while let Ok(Some(buf)) = in_rd.next(in_filter).await {
37 |         trace!("received pre-tls stanza: {} '{}'", server_name, to_str(buf));
38 |         if buf.starts_with(b"<?xml ") || buf.starts_with(b"<stream:stream ") {
39 |             // ignore this
40 |         } else if buf.starts_with(b"<stream:features") {
41 |             // we send starttls regardless, it could have been stripped out, we don't do plaintext
42 |             let buf = br###"<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>"###;
43 |             trace!("> {} '{}'", server_name, to_str(buf));
44 |             in_wr.write_all(buf).await?;
45 |             in_wr.flush().await?;
46 |         } else if buf.starts_with(b"<proceed ") {
47 |             proceed_received = true;
48 |             break;
49 |         } else {
50 |             bail!("bad pre-tls stanza: {}", to_str(buf));
51 |         }
52 |     }
53 |     if !proceed_received {
54 |         bail!("stream ended before proceed");
55 |     }
56 | 
57 |     debug!("starttls starting TLS {}", server_name);
58 |     let stream = config.connector.connect(dnsname, stream).await?;
59 |     let (rd, wrt) = tokio::io::split(stream);
60 |     Ok((StanzaWrite::new(wrt), StanzaRead::new(rd)))
61 | }
62 | 


--------------------------------------------------------------------------------
/src/websocket/incoming.rs:
--------------------------------------------------------------------------------
 1 | use crate::{
 2 |     common::{
 3 |         incoming::{shuffle_rd_wr_filter, IncomingConfig, ServerCerts},
 4 |         BoxAsyncReadWrite,
 5 |     },
 6 |     context::Context,
 7 |     stanzafilter::StanzaFilter,
 8 |     websocket::incoming_websocket_connection,
 9 | };
10 | use anyhow::Result;
11 | use log::info;
12 | use std::{net::SocketAddr, sync::Arc};
13 | 
14 | pub async fn handle_websocket_connection(
15 |     stream: BoxAsyncReadWrite,
16 |     config: Arc<IncomingConfig>,
17 |     server_certs: ServerCerts,
18 |     local_addr: SocketAddr,
19 |     client_addr: &mut Context<'_>,
20 |     in_filter: StanzaFilter,
21 | ) -> Result<()> {
22 |     client_addr.set_proto("websocket-in");
23 |     info!("{} connected", client_addr.log_from());
24 | 
25 |     let (in_rd, in_wr) = incoming_websocket_connection(stream, config.max_stanza_size_bytes).await?;
26 | 
27 |     shuffle_rd_wr_filter(in_rd, in_wr, config, server_certs, local_addr, client_addr, in_filter).await
28 | }
29 | 


--------------------------------------------------------------------------------
/src/websocket/outgoing.rs:
--------------------------------------------------------------------------------
 1 | use crate::{
 2 |     common::{outgoing::OutgoingVerifierConfig, BoxAsyncReadWrite},
 3 |     in_out::{StanzaRead, StanzaWrite},
 4 |     websocket::ws_cfg,
 5 | };
 6 | use anyhow::Result;
 7 | use futures_util::StreamExt;
 8 | use rustls::ServerName;
 9 | use std::{convert::TryFrom, net::SocketAddr};
10 | use tokio_tungstenite::tungstenite::{
11 |     client::IntoClientRequest,
12 |     http::{
13 |         header::{ORIGIN, SEC_WEBSOCKET_PROTOCOL},
14 |         Uri,
15 |     },
16 | };
17 | 
18 | pub async fn websocket_connect(target: SocketAddr, server_name: &str, url: &Uri, origin: &str, config: &OutgoingVerifierConfig) -> Result<(StanzaWrite, StanzaRead)> {
19 |     let mut request = url.into_client_request()?;
20 |     request.headers_mut().append(SEC_WEBSOCKET_PROTOCOL, "xmpp".parse()?);
21 |     request.headers_mut().append(ORIGIN, origin.parse()?);
22 | 
23 |     let dnsname = ServerName::try_from(server_name)?;
24 |     let stream = tokio::net::TcpStream::connect(target).await?;
25 |     let stream = config.connector.connect(dnsname, stream).await?;
26 | 
27 |     //let stream: tokio_rustls::TlsStream<tokio::net::TcpStream> = stream.into();
28 |     // todo: tokio_tungstenite seems to have a bug, if the write buffer is non-zero, it'll hang forever, even though we always flush, investigate
29 |     //let stream = BufStream::with_capacity(crate::IN_BUFFER_SIZE, 0, stream);
30 |     let stream: BoxAsyncReadWrite = Box::new(stream);
31 | 
32 |     let (stream, _) = tokio_tungstenite::client_async_with_config(request, stream, ws_cfg(config.max_stanza_size_bytes)).await?;
33 | 
34 |     let (wrt, rd) = stream.split();
35 | 
36 |     Ok((StanzaWrite::WebSocketClientWrite(wrt), StanzaRead::WebSocketRead(rd)))
37 | }
38 | 


--------------------------------------------------------------------------------
/src/webtransport/incoming.rs:
--------------------------------------------------------------------------------
 1 | use crate::{
 2 |     common::incoming::{shuffle_rd_wr, IncomingConfig, ServerCerts},
 3 |     context::Context,
 4 |     in_out::{StanzaRead, StanzaWrite},
 5 | };
 6 | 
 7 | use log::{error, info};
 8 | use std::{net::SocketAddr, sync::Arc};
 9 | 
10 | pub async fn handle_webtransport_session(conn: quinn::Connection, config: Arc<IncomingConfig>, server_certs: ServerCerts, local_addr: SocketAddr, mut client_addr: Context<'static>) {
11 |     client_addr.set_proto("webtransport-in");
12 | 
13 |     // Perform the WebTransport handshake.
14 |     let request = match webtransport_quinn::accept(conn).await {
15 |         Ok(r) => r,
16 |         Err(e) => {
17 |             error!("{} {}", client_addr.log_from(), e);
18 |             return;
19 |         }
20 |     };
21 |     info!("{} received request URL: {}", client_addr.log_from(), request.url());
22 | 
23 |     // Accept the session.
24 |     let session = match request.ok().await {
25 |         Ok(r) => r,
26 |         Err(e) => {
27 |             error!("{} {}", client_addr.log_from(), e);
28 |             return;
29 |         }
30 |     };
31 |     info!("{} connected new session", client_addr.log_from());
32 | 
33 |     while let Ok((wrt, rd)) = session.accept_bi().await {
34 |         let config = config.clone();
35 |         let mut client_addr = client_addr.clone();
36 |         let server_certs = server_certs.clone();
37 |         info!("{} connected new stream", client_addr.log_from());
38 |         tokio::spawn(async move {
39 |             if let Err(e) = shuffle_rd_wr(StanzaRead::new(rd), StanzaWrite::new(wrt), config, server_certs, local_addr, &mut client_addr).await {
40 |                 error!("{} {}", client_addr.log_from(), e);
41 |             }
42 |         });
43 |     }
44 | }
45 | 


--------------------------------------------------------------------------------
/src/webtransport/mod.rs:
--------------------------------------------------------------------------------
1 | #[cfg(feature = "incoming")]
2 | pub mod incoming;
3 | 
4 | #[cfg(feature = "outgoing")]
5 | pub mod outgoing;
6 | 


--------------------------------------------------------------------------------
/src/webtransport/outgoing.rs:
--------------------------------------------------------------------------------
 1 | use std::net::SocketAddr;
 2 | 
 3 | use crate::{
 4 |     common::outgoing::OutgoingVerifierConfig,
 5 |     in_out::{StanzaRead, StanzaWrite},
 6 | };
 7 | use anyhow::Result;
 8 | use log::trace;
 9 | use reqwest::Url;
10 | 
11 | pub async fn webtransport_connect(target: SocketAddr, server_name: &str, url: &Url, config: &OutgoingVerifierConfig) -> Result<(StanzaWrite, StanzaRead)> {
12 |     let bind_addr = "0.0.0.0:0".parse().unwrap();
13 | 
14 |     let mut endpoint = quinn::Endpoint::client(bind_addr)?;
15 |     endpoint.set_default_client_config(quinn::ClientConfig::new(config.config_webtransport_alpn.clone()));
16 | 
17 |     // connect to server
18 |     let connection = endpoint.connect(target, server_name)?.await?;
19 |     trace!("quic pre-wt connected: addr={}", connection.remote_address());
20 | 
21 |     let connection = webtransport_quinn::connect_with(connection, url).await?;
22 |     trace!("webtransport connected: addr={}", connection.remote_address());
23 | 
24 |     let (wrt, rd) = connection.open_bi().await?;
25 |     Ok((StanzaWrite::new(wrt), StanzaRead::new(rd)))
26 | }
27 | 


--------------------------------------------------------------------------------
/xmpp-proxy.toml:
--------------------------------------------------------------------------------
 1 | 
 2 | # interfaces to listen for reverse proxy STARTTLS/Direct TLS/TLS WebSocket (wss) XMPP connections on, should be open to the internet
 3 | incoming_listen = [ "[::]:5222", "[::]:5269", "[::]:443" ]
 4 | # interfaces to listen for reverse proxy QUIC/WebTransport XMPP connections on, should be open to the internet
 5 | quic_listen = [ "[::]:443" ]
 6 | # interfaces to listen for outgoing proxy TCP or WebSocket XMPP connections on, should be localhost or a path for a unix socket
 7 | outgoing_listen = [ "127.0.0.1:15270" ]
 8 | 
 9 | # these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
10 | # prosody module: https://modules.prosody.im/mod_secure_interfaces.html
11 | 
12 | # c2s port backend XMPP server listens on
13 | c2s_target = "127.0.0.1:15222"
14 | 
15 | # s2s port backend XMPP server listens on
16 | s2s_target = "127.0.0.1:15269"
17 | 
18 | # send PROXYv1 header to backend XMPP server
19 | # https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
20 | # prosody module: https://modules.prosody.im/mod_net_proxy.html
21 | # ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
22 | proxy = true
23 | 
24 | # limit incoming stanzas to this many bytes, default to ejabberd's default
25 | # https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
26 | # xmpp-proxy will use this many bytes + 16k per connection
27 | max_stanza_size_bytes = 262_144
28 | 
29 | # TLS key/certificate valid for all your XMPP domains, PEM format
30 | # included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
31 | tls_key = "/etc/xmpp-proxy/le.key"
32 | tls_cert = "/etc/xmpp-proxy/fullchain.cer"
33 | 
34 | # configure logging, defaults are commented
35 | # can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
36 | # many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
37 | #log_level = "info"
38 | # for development/debugging:
39 | #log_level = "info,xmpp_proxy=trace"
40 | 
41 | # one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
42 | #log_style = "never"
43 | 


--------------------------------------------------------------------------------