ejabberd - Comments for "s2s_proxy - S2S Proxying" https://www.ejabberd.im/s2s_proxy en Multiple vhosts https://www.ejabberd.im/s2s_proxy#comment-53242 <p>There is a bug in the s2s proxy patch that prevents ejabberd from working properly when virtual hosts a re involved. I've tracked the problem down mostly and also have a fix. However I wonder if that fix makes the server vulnerable to dns spoofing or the like.</p> <p>When running the s2s proxy patch in a setup where there is one host in the local network and two virtual hosts are remote, on the same server, and the connection between the local and remote server goes through an ejabberd proxy, strange things will happen.</p> <p>This seems to be due to the fact, that in ejabberd_s2s_in.erl a field auth_domain is stored. And that field always contains the name of one virtual host - the first one that made the connection it seems.</p> <p>Now, the proxy patch ( <noindex><a href="http://tkabber.jabber.ru/files/contributions/s2s_proxy-2.0.0.patch" title="http://tkabber.jabber.ru/files/contributions/s2s_proxy-2.0.0.patch" rel="nofollow" >http://tkabber.jabber.ru/files/contributions/s2s_proxy-2.0.0.patch</a></noindex> ) (and also the original code before, but in a different way) will check if the domain mentioned in the xml-message will match the one in auth_domain.</p> <p>This will obviously fail with the second virtual host and the incoming messages won't be routed htrough.</p> <p>The following code will fix this. But probably this is the wrong thing to do:</p> <pre>diff -Naur src/ejabberd_s2s_in.erl src2/ejabberd_s2s_in.erl --- src/ejabberd_s2s_in.erl 2008-04-10 20:42:45.000000000 +0200 +++ src2/ejabberd_s2s_in.erl 2008-05-23 04:14:53.000000000 +0200 @@ -417,9 +417,15 @@ true -&gt; case lists:member(AuthDomain, [LFrom, ProxyServer]) of true -&gt; - route_stanza(Name, From, To, NewEl); - false -&gt; - error + route_stanza(Name, From, To, NewEl); + false -&gt; + case ?DICT:find({LFrom, LTo}, + StateData#state.connections) of + {ok, established} -&gt; + route_stanza(Name, From, To, NewEl); + _ -&gt; + error + end end; false -&gt; case lists:member(LFrom, MyDomains) of</pre><p> Since the original code also checks auth_domain, maybe this could also be fixed in ejabberd itself.</p> <p>I could probably provide a proper patch, if I had a little more knowledge on how a few things work. Specifically, I wonder why auth_domain is important and how it works or is supposed to work. Also how are connections in ejabberd_s2s_in.erl handled? Is the data structure shared for some connections from the same host? If so, how is this detected?<br /> I guess all s2s connections might be affected if virtual hosts are involved.</p> Mon, 02 Jun 2008 19:11:33 +0000 jroith comment 53242 at https://www.ejabberd.im Re: Lost Messages https://www.ejabberd.im/s2s_proxy#comment-51116 <div class="quote-msg"> <div class="quote-author"><em>zinid</em> wrote:</div> <p>Unfortunately this can be checked only if you use original version, e.g. without s2s_proxy patch :(</p></div> <p>Ok, this is a problem. We need this type of setup, so just evaluating the situation without s2s_proxy is not enough. Any other ideas? I tried to identify the problem from analysing logfiles over tcpdump up to adding additional debug statements in the ejabberd code. Unfortunately I don't really understand Erlang good enough to do further debugging or even find better places to add debug output to.</p> <p>It would also be really helpfull if someone with a similar setup could veryfy our problem.</p> <p>Any (even the slightest) information is appreciated. Thanks :)</p> Mon, 22 Oct 2007 08:34:53 +0000 Michael Grüner comment 51116 at https://www.ejabberd.im Re: Lost Messages https://www.ejabberd.im/s2s_proxy#comment-51102 <div class="quote-msg"> <div class="quote-author"><em>Michael Gruener</em> wrote:</div> <p>Can this be related to our jabber proxy setup? Or, as another possibility, can it be related to the bug mentioned here: <noindex><a href="https://support.process-one.net/browse/EJAB-219" title="https://support.process-one.net/browse/EJAB-219" rel="nofollow" >https://support.process-one.net/browse/EJAB-219</a></noindex> ? </p></div> <p>Unfortunately this can be checked only if you use original version, e.g. without s2s_proxy patch :(</p> Fri, 19 Oct 2007 10:33:10 +0000 zinid comment 51102 at https://www.ejabberd.im Lost Messages https://www.ejabberd.im/s2s_proxy#comment-51100 <p>Hi,</p> <p>has anyone ever encountered a problem when using a jabber proxy configuration based on this patch?<br /> We are seeing that jabber messages (meaning all types of xmpp messages like presence notifications or subscription requests) regularly vanish inside our ejabberd jabber proxy. As a side note, almost all messages that vanish have their origin at google talk. The ejabberd debug log shows that the message is received by the ejabberd_receiver but never reaches the ejabberd_router. This behavior can be reproduces but not always. Sometimes these messages successfully pass the proxy.</p> <p>Can this be related to our jabber proxy setup? Or, as another possibility, can it be related to the bug mentioned here: <noindex><a href="https://support.process-one.net/browse/EJAB-219" title="https://support.process-one.net/browse/EJAB-219" rel="nofollow" >https://support.process-one.net/browse/EJAB-219</a></noindex> ?</p> <p>Best regards</p> <p>Michael Grüner</p> Thu, 18 Oct 2007 13:53:43 +0000 Michael Gruener comment 51100 at https://www.ejabberd.im Re: https://www.ejabberd.im/s2s_proxy#comment-3240 <div class="quote-msg"> <div class="quote-author"><em>xram@jabber.ru</em> wrote:</div> <div class="quote-msg"> <div class="quote-author"><em>nbetm</em> wrote:</div> <p>hi, I have one big question. Can I use s2s-proxying using another distribution (non-ejabberd) in s2s-clients servers??</p> <p>N</p></div> <p>No, you cannot.</p></div> <p>It seems other software needs to be patched to support this method of proxing.</p> Fri, 02 Mar 2007 05:50:31 +0000 MMM comment 3240 at https://www.ejabberd.im Re: s2s_proxy - S2S Proxying https://www.ejabberd.im/s2s_proxy#comment-3239 <div class="quote-msg"> <div class="quote-author"><em>nbetm</em> wrote:</div> <p>hi, I have one big question. Can I use s2s-proxying using another distribution (non-ejabberd) in s2s-clients servers??</p> <p>N</p></div> <p>No, you cannot.</p> Thu, 01 Mar 2007 23:53:03 +0000 xram@jabber.ru comment 3239 at https://www.ejabberd.im s2s-clients works only with ejabberd distribution!! https://www.ejabberd.im/s2s_proxy#comment-3238 <p>hi, I have one big question. Can I use s2s-proxying using another distribution (non-ejabberd) in s2s-clients servers??</p> <p>N</p> Thu, 01 Mar 2007 21:45:49 +0000 nbetm comment 3238 at https://www.ejabberd.im