search

jsxc / xmpp-cloud-auth

:key: Authentication hub for Nextcloud+JSXC→Prosody, ejabberd, saslauthd, Postfix
https://www.jsxc.org
MIT License
59 stars 18 forks source link

no chat login possible with external prosody server #62

Closed dasboeh closed 5 years ago

dasboeh commented 6 years ago

Hello,

I installed NC 13.0.4 under Ubuntu 18.04 with Nginx. For JSXC I use xmpp-cloud-auth and prosody. I configured everything regarding this tutorial: https://github.com/jsxc/xmpp-cloud-auth/wiki

BOSH is reachable through https://mydomain.com/http-bind. Actually this redirects to http://localhost:5280/http-bind.

I forwarded ports 5222, 5269, 5280 from my router to my server.

My Nginx gateway config is:

…
server {
        listen 443 ssl http2;
        server_name mydomain.com;

        # Certificates used
        ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;

       # Not using TLSv1 will break:
        #       Android <= 4.4.40
        #       IE <= 10
        #       IE mobile <=10
        # Removing TLSv1.1 breaks nothing else!
        # TLSv1.3 is not supported by most clients, but it should be enabled.
        ssl_protocols TLSv1.2 TLSv1.3;

        # (Modern) cipher suite from https://mozilla.github.io/server-side-tls/ssl-config-generator/
        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

        # Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits
        ssl_dhparam /etc/nginx/ssl/dhparams.pem;

        # Use multiple curves.
        # secp521r1: Not supported by Chrome
        # secp384r1: Not supported by Android (DAVdroid)
        ssl_ecdh_curve secp521r1:secp384r1:prime256v1;

        # Server should determine the ciphers, not the client
        ssl_prefer_server_ciphers on;

        # OCSP Stapling
        # fetch OCSP records from URL in ssl_certificate and cache them
        ssl_stapling on;
        ssl_stapling_verify on;

        # This should be chain.pem
        # See here: https://certbot.eff.org/docs/using.html
        ssl_trusted_certificate /etc/letsencrypt/live/die-boehs.de/chain.pem;

        resolver 192.168.178.1;

        # SSL session handling
        ssl_session_timeout 24h;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;

        #
        # Add headers to serve security related headers
        #
        # HSTS (ngx_http_headers_module is required)
        # In order to be recoginzed by SSL test, there must be an index.hmtl in the server's root
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
        add_header X-Content-Type-Options "nosniff" always;
        # Usually this should be "DENY", but when hosting sites using frames, it has to be "SAMEORIGIN"
        add_header Referrer-Policy "same-origin" always;
        #add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;

        location = / {
        # Disable access to the web root, otherwise nginx will show the default site here.
                deny all;
        }
…
        #
        # XMPP
        #
        location /http-bind {
            proxy_pass  http://127.0.0.1:83;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $remote_addr;
            proxy_buffering off;
            tcp_nodelay on;
        }

Then the Nginx XMPP vHost config is:

server {
    listen 127.0.0.1:83;
    server_name 127.0.0.1;

location /http-bind {
        proxy_pass  http://localhost:5280/http-bind;
        proxy_set_header Host $host;
        proxy_buffering off;
        tcp_nodelay on;
    }

}

The /etc/prosody/prosody.cfg.lua and /etc/xcauth.conf files are directly from the wiki tutorial. Just changed domain to mydomain.com in prosody.cfg.lua and added url=https://mydomain.com/nextcloud/apps/ojsxc/ajax/externalApi.php and the API Token given in the NC Settings to xcauth.conf.

I saved config in NC settings, logged out and tried to log in again. Login is taking forever and when I hit reload I am logged in again but without chat. When I klick on the chat icon on the upper right I can log in to the chat. I hit login and it takes forever until I cancel the login.

I'm watching my JS console, but no errors there. Also the prosody log shows no error. Just mentioned that a new Bosh session has benn started.

So this is a bit frustrating, since I have no clues where to start debugging. I hope someone could help.

dasboeh commented 6 years ago

Addendum: When I try to connect with pidgin to ncuser@mydomain.com there is also this infinite loop ending in error "service no available".

MarcelWaldvogel commented 6 years ago

Sorry, I do not speak nginx fluently. Can you try our Apache setup? (At least temporarily.) And then maybe help us recommend an nginx setup?

https://github.com/jsxc/xmpp-cloud-auth/wiki

dasboeh commented 6 years ago

Dear Marcel.

I try to test the apache server setup at the weekends and'll report back then. :-)

Best regards

MarcelWaldvogel commented 6 years ago

Have there been any news here?

MarcelWaldvogel commented 5 years ago

Closing due to inactivity