mod_proxy65 shortcoming

We have two ejabberd servers setup - 1 for our customers, and 1 for internal development and testing. The internal server is sitting in our office, behind our router, and we've configured all the correct port mappings so we can use it from outside the office. But recently we've run into trouble enabling the proxy on the dev server. This may be caused by a shortcoming in the proxy configuration options.

If we simply enable the proxy with no options, we get the following error:
Failed to open socket for {7777, mod_proxy65_stream, ["company.dyndns.org", {ip, {172,21,155,146}}]}: eaddrnotavail

Where company.dyndns.org is the hostname of the linux server. I took this error message to mean that the module was trying to bind the socket to the given IP address, which of course didn't work because the IP address of the interface on the local network is something like 10.0.1.2.

I changed the configuration to this:
{mod_proxy65, [{ip, {0,0,0,0}}]}

The socket binds fine now, and telnet confirms the server is accepting connections on port 7777.
But this causes problems within the XEP-0065 protocol.

Specifically, when one queries the server for it's streamhost information, the server returns this:

<streamhost jid='proxy.company.dyndns.org' host='0.0.0.0' port='7777'/>

Is there an easy way to fix this problem?

According to XEP-0065 the host attribute can be "the hostname or IP address". Perhaps an option can be added to the proxy configuration options that allows one to specify separate bind and advertise hosts?

Perhaps an additional publicIP option can be added, like so:
{mod_proxy65, [{ip, {0,0,0,0}}, {publicip, {172,21,155,146}}]}

same problem here

I'm behind a dyndns with wildcards option set...so my proxy.domain.dyndns.org should be ok resolving to my ip.

But i cannot bind to a public ip, 'cause i'm behind a natting router: is there any trick that could let me use the proxy ?

P.S.
I tried bindind (in proxy_mod conf) to 0,0,0,0 and to private address (192.168.x.x) with no luck

Thank You

what ejabberd version are you using?

roughnecks wrote:

But i cannot bind to a public ip, 'cause i'm behind a natting router: is there any trick that could let me use the proxy ?

DSL router or Linux router? Basically with iptables/netfilter you could use DNAT to forward it from the routers external interface to the internal host (and even change the port number, if needed). Relevant ports are 5222, 5223, 5269, 7777 and if you dare exposing the web interface: 5280. In addition to that you'll have to allow it to forward to the internal host. Last but not least your kernel needs to know that you want to allow IPv4 forwarding (use sysctl).

For the ports to which the clients connect, it would look like this

sudo iptables -t nat -I PREROUTING -i extif -p tcp --dport 5222:5223 -j DNAT --to-destination 192.168.x.y
sudo iptables -I FORWARD -p tcp -d 192.168.x.y --dport 5222:5223 -j ACCEPT

192.168.x.y is the internal hosts IP.
extif is the external interface of the router.

roughnecks wrote:

I tried bindind (in proxy_mod conf) to 0,0,0,0 and to private address (192.168.x.x) with no luck

Try setting "hostname" (not "host", which is the logical node name within XMPP) to the external(!) IP of your router. I think in my case the version is too old (it's the one shipping with Debian), so I'm going to attempt an upgrade to 2.1.5.

NB: the docs say you should avoid using the host name in the "hostname" field and use the IP preferably.

Just to let you know.

An upgrade of ejabberd indeed solved the problem. I had to replace the host with another distro that has more recent packages, but on the other hand this is the only service that will run on this box.

NB: there was another post that has to be approved by the admins, apparently. Let's hope they'll do so ... it contained some details concerning your particular questions (besides the hostname issue).

Right, then not ...

I wrote two contructive posts in an attempt to help you, the first more than 20 hours ago and both of them probably ended up in some mechanism that is supposed to thwart unsolicited commenters, just because I made the mistake of editing them after posting. Oh well, sorry but this way I'll simply refrain from posting anything further here. Besides, the website keeps warning me of the use of the strtotime PHP function ...

Comments recovered

The spam detector marked two of your comments. I've recovered them now.

Same problem here

Check out the docs: http://www.process-one.net/en/ejabberd/guide_en#modproxy

"{hostname, HostName}
Defines a hostname advertised by the service when establishing a session with clients. This is useful when you run the service behind a NAT. The default is the value of ip option. Examples: "proxy.mydomain.org", "200.150.100.50". Note that not all clients understand domain names in stream negotiation, so you should think twice before setting domain name in this option."

This suggests that it is the solution to our problem, but it does not work on my side.

Version string is: "2.0.0" ... now I don't know whether *that's* the problem. It's fairly old, I think.

Syndicate content