ejabberd - Comments for "ACL for all user"

I copied your config to my

badlop — Thu, 27 Oct 2016 15:32:00 +0000

I copied your config to my ejabberd 16.09 server. First I adapted the served hosts and certfile. Then I had to define the IP address as IPv6, because you configured the 5222 listener to be IPv6:

  vpn:
     ip:
       - "::FFFF:127.0.0.1"

Then finally I am able to login with a client from the same machine that the server:


(ejabberd@localhost)1> 17:34:29.738 [info] (#Port<0.19422>)
 Accepted connection ::FFFF:127.0.0.1:35111 -> ::FFFF:127.0.0.1:5222
17:34:35.502 [info] ({socket_state,gen_tcp,#Port<0.19422>,<0.485.0>})
 Accepted authentication for user2 by undefined from ::FFFF:127.0.0.1
17:34:35.590 [info] ({socket_state,gen_tcp,#Port<0.19422>,<0.485.0>})
 Opened session for user2@localhost/tka1

In your case, maybe you are using an ejabberd version from a few months ago, which still don't support that 'ip' option?

badlop wrote: Your case is

kripul — Wed, 26 Oct 2016 18:24:13 +0000

badlop wrote:

Your case is very similar, simply put ip in the list. For example, this allows c2s connections from your vpn list (the ones with IP in the 127.0.0.1/8 range), and denies everything else:

acl:
  vpn:
    ip:
      - "127.0.0.0/8"

access_rules:
  c2s:
    - allow: vpn
    - deny

Or a more short version that works in recent ejabberd versions:

access_rules:
  c2s:
    - allow:
      - ip: "127.0.0.1/8"
    - deny

Do you mean
all:deny
or just "deny"?
I got folowing error

2016-10-26 18:21:15.765 [info] <0.455.0>@ejabberd_listener:accept:333 (#Port<0.7157>) Accepted connection ::FFFF:111.221.44.148:55806 -> ::FFFF:46.165.219.131:5222
2016-10-26 18:21:17.785 [info] <0.470.0>@ejabberd_c2s:wait_for_feature_request:740 ({socket_state,p1_tls,{tlssock,#Port<0.7157>,#Port<0.7158>},<0.469.0>}) Accepted authentication for modem by ejabberd_auth_internal from ::FFFF:111.221.44.148
2016-10-26 18:21:18.578 [error] <0.470.0>@acl:match_acl:339 Wrong ACL expression: {ip,{{111,221,44,148},32}}
Check your config file and reload it with the override_acls option enabled
2016-10-26 18:21:18.578 [error] <0.470.0>@acl:match_acl:339 Wrong ACL expression: {ip,{{111,221,44,148},32}}
Check your config file and reload it with the override_acls option enabled
2016-10-26 18:21:18.578 [error] <0.470.0>@acl:match_acl:339 Wrong ACL expression: {ip,{{111,221,44,148},32}}
Check your config file and reload it with the override_acls option enabled
2016-10-26 18:21:18.578 [error] <0.470.0>@acl:match_acl:339 Wrong ACL expression: {ip,{{111,221,44,148},32}}
Check your config file and reload it with the override_acls option enabled
2016-10-26 18:21:18.578 [info] <0.470.0>@ejabberd_c2s:wait_for_session:1141 ({socket_state,p1_tls,{tlssock,#Port<0.7157>,#Port<0.7158>},<0.469.0>}) Forbidden session for modem@xmpp.rajaapi.net/maryamuzzamani

my ejabberd.yml
http://pastebin.com/HCpjd1bD

Your case is very similar,

badlop — Mon, 24 Oct 2016 10:59:00 +0000

Your case is very similar, simply put ip in the list. For example, this allows c2s connections from your vpn list (the ones with IP in the 127.0.0.1/8 range), and denies everything else:

acl:
  vpn:
    ip:
      - "127.0.0.0/8"

access_rules:
  c2s:
    - allow: vpn
    - deny

Or a more short version that works in recent ejabberd versions:

access_rules:
  c2s:
    - allow:
      - ip: "127.0.0.1/8"
    - deny