incubator-wave-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Angus Turner <angusisf...@gmail.com>
Subject Re: Federating with self-signed certificates
Date Sat, 01 Jun 2013 00:37:13 GMT
https://cwiki.apache.org/confluence/display/WAVE/Federation
This is the definitive guide to federation. I hope that helps

Thanks
Angus Turner
angusisfree@gmail.com


On Sat, Jun 1, 2013 at 10:26 AM, Bruno Gonzalez <stenyak@gmail.com> wrote:

> Thanks for the help so far.
> Today I could devote some time to it again, this is my progress so far:
>  - Created all certificate files via startssl.
>  - Installed and configured prosody.
>  - Partially set up DNS records.
>  - Configured everything through ant .... -Dfoo=bar
>
> So here's the questions:
> 1) Is there some big step I'm missing? I can't seem to find a step-by-step
> guide on federation, I'm stumbling upon links, following them, and hoping I
> haven't overlooked some other important page.
> 2) I'm unable to register an account at wave.eezysys.co.uk in order to
> test
> stuff with myself. Could you please enable it so that I can log in there?
> 3) I'm not so sure I've set up the DNS records correctly. I guess I'll find
> out when I have access to the aforementioned wave server, but meanwile I'd
> like to check some settings and review the general configuration of my
> systems. Please bear with me, this is a bit long...
>
> The idea so far is to have a single wiab server, running in my desktop pc
> at home.
> This desktop pc is natted/firewalled. So far I've forwarded port 9898 (the
> wiab web interface port), but I'm guessing I'll also need to forward some
> ports for XMPP, is that right? Which one/s is it? According to netstat
> output, I think prosody is using 5269, 5275 and 5222, should I forward the
> three of them?
> The firewall of this LAN (the router) has dynamic IP. In order to handle
> that, I have a dyndns subdomain "1ksurvivor.dyndns.org", with an A record
> that points to the actual IP xxx.yyy.zzz.ttt of my home network. I cannot
> do anything else with that dyndns subdomain, only modify the A record.
> To work around that, my idea was to re-use the stenyak.com domain that I'm
> already using for hosting my personal website in a shared host of a 3rd
> party server. To do that:
>  - The stenyak.com A record is pointing to my shared server on the net,
> where my personal website resides. I don't intend to change that, it should
> still point there at any time, and not to my home network in anyway.
>  - I've created a wave.stenyak.com subdomain.
>  - I've created an SRV record in stenyak.com domain: _xmpp-server._
> tcp.example.com. 86400 IN SRV 10 0 5269 wave.stenyak.com.
>  - Due to using google apps in my stenyak.com domain, I had a CNAME alias
> of "wave" pointing to google server at "ghs.google.com". I didn't like
> that, so arbitrarily decided to make "wave" point to "
> 1ksurvivor.dyndns.org"
> instead. I have absolutely no idea if this is correct or if it will break
> things.
>  - The federation docs talk about "XMPP disco" (discovery?). I'm not sure
> if I should do anything about it?
> As a summary about DNS records, there's only two lines that mention wave:
> that SRV record line I pasted above, and the CNAME record.
>
> After doing these changes, I waited for a while for DNS to propagate. Then
> I run the checks shown in the docs. These:
> $ dig +short -t A example.com
> 72.148.43.48
> $ dig +short -t A wave.example.com
> 72.148.43.48
>
> In my case, the results were:
> $ dig +short -t A stenyak.com
> 74.220.220.29
> $ dig +short -t A wave.stenyak.com
> 1ksurvivor.dyndns.org.
> 77.228.34.76
>
> The first IP is the IP of the shared host where I serve my personal
> website. The second command outputs the dyndns subdomain, and the current
> IP of my home network. Does it all look ok, or will there be problems as it
> currently stands?
>
> Finally, regarding the wiab configuration files:
>  - The xmpp_component_name is "wave" by default, but the prosody
> configuration file ended up having a component named "wave.stenyak.com".
> Is
> that ok, or should I change one of those names?
>  - In the docs, it seems to be mentioned that SSL is necessary for
> federation. However, the wiab config file has enable_ssl=false. Is that
> correct?
>  - Should I set to "false" these two variables too?
> waveserver_disable_verification, waveserver_disable_signer_verification
>  - I think I recall reading about federation problems when using lucene,
> should I swtich from lucene search to memory search?
>  - The xmpp_server_secret is the same pass word used in the
> component_secret in prosody configuration, and not some xmpp-server-wide
> password, right?
>
>
> Phew, I think that's all for now. Any help is much appreciated, I've never
> really fiddled with DNS or certificates stuff so please be patient :-)
>
>
>
> On Thu, May 30, 2013 at 12:29 PM, Ali Lown <ali@lown.me.uk> wrote:
>
> > @Bruno:
> > >> > I'm attempting again to make my wave server federable, and have some
> > >> > questions that I hope someone can answer:
> > >> > 1) Is there any wave server out there that will accept self-signed
> > >> > certificates? I'd like to test this first, before I try ca-issued
> > >> > certificates (because I'm guessing it may be more difficult to
> achieve
> > >> that
> > >> > and I want to start simple, though I may be wrong).
> > >>
> > >> None currently. I can make one available if needed, but the effort to
> > >> get a certificate from StartCom is significantly less than the effort
> > >> to make it all work together anyway.
> > >> Neither route is any more difficult.
> > >>
> > >> Understood, I'll go with signed certs then. Any existing wiab servers
> I
> > > could use for federation tests, my server having a ca-issued cert?
> >
> > I have made my server available for testing at wave.eezysys.co.uk.
> > (It took me >1h this morning to get it setup again in a way that I
> > think should make it federatable)
> >
> > >>  > 2) The check-certificates.sh script seems to be outdated, it
> assumes
> > >> that
> > >> > either run-config.sh or run-config.sh.example exist, but none of
> them
> > >> exist
> > >> > anymore (I'm in git master branch). Can I simpy comment out those
> > checks
> > >> in
> > >> > check-certificates.sh and go ahead, or is something important really
> > >> > missing if I did that?
> > >>
> > >> The problem with removing the run-config.sh check is that the rest of
> > >> the script depends on the values it got from that. (In short the
> > >> script is pretty much useless now).
> > >>
> > >> Remove or fix?
> > >>
> > >> Would it be appropriate to include those checks at the start of the
> > > "run-server" ant target?
> > > They seem to automate part of the checks outlined here:
> > > http://www.waveprotocol.org/federation/certificates
> >
> > Hmm. We would need to determine whether they had federation enabled
> > before trying to run the checks there.
> >
> > >> 3) The initial setup I'm aiming for is this: use my own desktop pc
> > >> (running
> > >> > debian sid), forward whatever ports are necessary in the router (so
> > far
> > >> > I've forwarded 9898 tcp incoming), and assume people can access my
> > wiab
> > >> > server through my dyndns subdomain (which is in the form "
> > >> foobar.dyndns.org").
> > >> > Is this setup enough for testing federation, or would I need to
> > >> > purchase/use a domain that *I* fully control (e.g. "foobar.com") in
> > >> order
> > >> > to configure it in ways that dyndns may not allow?
> > >>
> > >> To allow XMPP communication to work, you need to be able to setup TXT
> > >> records detailing which port to use for the wave service. I don't know
> > >> if dyndns allows you to do this.
> > >>
> > >
> > > Just checked this, it looks like for free accounts you can barely do
> > > anything.
> > >
> > > Fortunately I have some regular domains that I could use (e.g.
> > stenyak.com).
> > > By reading the docs, it looks like I could set a "wave" SRV record that
> > > points to my dyndns subdomain (foobar.dyndns.org) on port 9898. That
> > dyndns
> > > subdomain has the A record that actually points to my home network IP,
> > > where the 9898 port is forwarded to the relevant computer in the lan.
> > >
> > > Is this plan correct? Would wave addresses then be user1@stenyak.com,
> > > user2@stenyak.com, etc?
> >
> > Yes. That sounds correct.
> >
> > > If so, does all of this mean that I can only have one wave server on
> the
> > > stenyak.com domain, or could I have several, for example a server on
> > > wave1.stenyak.com and another one on wave2.stenyak.com? (I might try
> > this
> > > for testing federation in a controlled environment, before I try to
> > > federate with 3rd party servers)
> >
> > You can have one wave server per domain-thing. So you can have one at
> > mydomain.tld. One at sub1.mydomain.tld etc.
> > And since you specify port in the SRV record, you can have them all at
> > the same IP if you really wish to.
> >
> > Also, I _strongly_ suggest using Prosody, rather than OpenFire as the
> > XMPP server, simply because OpenFire is a huge package with a
> > confusing set of configuration options, whereas Prosody just has the
> > one config file to debug when it doesn't work. :)
> >
> > The instructions on the wiki for it look correct.
> >
> > @Angus:
> > Thanks for moving those documents across. You are correct with those
> > TODOs (and missed one where the certificates document was referring to
> > the old run-config.sh script, which is now server.federation.config).
> > The console client was also removed a while ago.
> >
> > If I get some time, I might attempt to tidy up some of those TODOs,
> > but I am trying to get a release handled as well here, so if you can
> > work on them (just ask about any questions directly on the list), that
> > would be great.
> >
> > Thanks.
> > Ali
> >
>
>
>
> --
> Saludos,
>      Bruno González
>
> _______________________________________________
> Jabber: stenyak AT gmail.com
> http://www.stenyak.com
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message