On 2014-07-05 18:35, Matthew Wild wrote: > Hi, > > On 5 July 2014 00:26, Hugo Osvaldo Barrera <h...@barrera.io> wrote: > > Hi, > > > > I'm trying to set bosh without success. > > Thanks for the details. One key bit of info missing: what version of > Prosody are you using? >
prosody-0.9.4, on OpenBSD-current
> > bosh_ports = { 5280 }
>
> Probably best to drop this line. 5280 is the default, and bosh_ports
> has been removed from 0.9+.
>
Thanks. The docs need updating, apparently. :)
> > When testing this locally:
> >
> > # curl -I localhost:5280/http-bind
> > HTTP/1.1 404 Not Found
> > Connection: Keep-Alive
> > Content-Length: 369
> > Date: Fri, 04 Jul 2014 23:06:25 GMT
> > # curl localhost:5280/http-bind
> > <html><body>
> > <p>It works! Now point your BOSH client to this URL to connect to
> > Prosody.</p>
> > <p>For more information see <a
> > href="http://prosody.im/doc/setting_up_bosh";>Prosody: Setting up
> > BOSH</a>.</p>
> > </body></html>
> > # curl xmpp.barrera.io/http-bind
> > <!DOCTYPE html>
> > <html>
> > <head><meta
> > charset="utf-8"><style>body{margin-top:14%;text-align:center;background-color:#F8F8F8;font-family:sans-serif;}h1{font-size:xx-large;}p{font-size:x-large;}p+p
> > { font-size: large; font-family: courier }</style>
> > </head>
> > <body><h1>404 Not Found</h1><p>Whatever you were looking for is not here.
> > It's behind you.</p><p>Unknown host: xmpp.barrera.io</p>
> > </body>
> >
> > My nginx config is LITERALLY a copy-paste from
> > https://prosody.im/doc/setting_up_bosh
> >
> > Looking at pidgin's log, it gets the same 404 message I via curl
> > xmpp.barrera.io/http-bind.
> > I've also tried setting xmpp.barrera.io.
>
> Sounds like you're using Prosody 0.9. Prosody 0.8 totally ignored the
> HTTP host, which simplified setup but led to some unintuitive
> behaviour and limitations. In Prosody 0.9 you need to make sure to
> tell Prosody about what HTTP host you will be using (if it isn't the
> same as an XMPP host in your config).
>
Oh, yes, that explains what my issue is, thanks!
> I'm going to guess that your XMPP host is "barrera.io", and Prosody is
> running at "xmpp.barrera.io". This is a common setup, and the fix is
> easy. Under your "barrera.io" host in Prosody's config, just tell it
> what HTTP host to expect:
>
> VirtualHost "barrera.io"
> ...options here....
> http_host = "xmpp.barrera.io" -- HTTP requests will be addressed to here
>
Yup, that got rid of the issue of me requiring the Host header. I simple
deleted the line from nginx entirely. (No need for proxy_set_header
at all).
> > After looking at the error a bit, I tried some guessing and changed and
> > changed nginx to:
> >
> > location / {
> > proxy_pass http://localhost:5280/http-bind;
> > proxy_set_header Host "localhost";
> > proxy_buffering off;
> > tcp_nodelay on;
> > }
> >
> > (notice the change in Host). Why did I need this? Has anyone else had
> > similar experiences?
>
> This worked because you probably have "localhost" as a VirtualHost in
> your config. This would also have worked (and be more correct):
>
> proxy_set_header Host "barrera.io";
>
> If you prefer you can do this *instead* of setting http_host in
> Prosody's config. The only advantage to configuring it in Prosody is
> that you can then easily serve multiple HTTP hosts (which may or may
> not be useful to you).
>
> > After this change, curl http://xmpp.barrera.io/ works as expected. Pidgin
> > manages to connect but with absolutely no encryption. If I enable HTTPS,
> > it fails. If I require encryption on the client or server side (or both),
> > it fails too.
>
> https://xmpp.barrera.io/ seems to work for me (in my browser), so I
> don't know what the problem might be here. Check Pidgin's debug logs
> perhaps (Help->Debug).
>
Pidgin "just fails":
[...]
(20:24:41) proxy: Connected to xmpp.barrera.io:443.
(20:24:43) nss:
subject=E=postmas...@barrera.io,CN=xmpp.barrera.io,C=AR,OID.2.5.4.13=x9oY27d7F92897MS
issuer=CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital
Certificate Signing,O=StartCom Ltd.,C=IL
(20:24:43) nss: subject=CN=StartCom Class 1 Primary Intermediate Server
CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
issuer=CN=StartCom Certification Authority,OU=Secure Digital Certificate
Signing,O=StartCom Ltd.,C=IL
(20:24:43) nss: subject=CN=StartCom Certification Authority,OU=Secure Digital
Certificate Signing,O=StartCom Ltd.,C=IL issuer=CN=StartCom Certification
Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
(20:24:43) certificate/x509/tls_cached: Starting verify for xmpp.barrera.io
(20:24:43) certificate/x509/tls_cached: Checking for cached cert...
(20:24:43) certificate/x509/tls_cached: ...Found cached cert
(20:24:43) nss/x509: Loading certificate from
/home/hugo/.purple/certificates/x509/tls_peers/xmpp.barrera.io
(20:24:43) certificate/x509/tls_cached: Peer cert matched cached
(20:24:43) nss/x509: Exporting certificate to
/home/hugo/.purple/certificates/x509/tls_peers/xmpp.barrera.io
(20:24:43) util: Writing file
/home/hugo/.purple/certificates/x509/tls_peers/xmpp.barrera.io
(20:24:43) certificate: Successfully verified certificate for xmpp.barrera.io
(20:24:43) connection: Connection error on 0x139b110 (reason: 0 description:
Lost connection with server: Input/output error)
(20:24:43) nss: Handshake failed (-5938)
(20:24:43) jabber: BOSH server closed the connection (0x1bcd310)
(20:24:43) account: Disconnecting account h...@barrera.io/hyperion (0x12cafb0)
(20:24:43) connection: Disconnecting connection 0x139b110
(20:24:43) connection: Destroying connection 0x139b110
Does this look like a client issue?
On the server side, the ONLY thing logged by both nginx and prosody is:
# tail -f /var/log/nginx/error.log
2014/07/07 23:20:01 [alert] 1818#0: worker process 32138 exited on signal 11
2014/07/07 23:20:02 [alert] 1818#0: worker process 28105 exited on signal 11
2014/07/07 23:20:42 [alert] 1818#0: worker process 19225 exited on signal 11
2014/07/07 23:20:43 [alert] 1818#0: worker process 18334 exited on signal 11
2014/07/07 23:21:03 [alert] 1818#0: worker process 31438 exited on signal 11
2014/07/07 23:21:05 [alert] 1818#0: worker process 8974 exited on signal 11
2014/07/07 23:21:23 [alert] 1818#0: worker process 31071 exited on signal 11
2014/07/07 23:21:24 [alert] 1818#0: worker process 12919 exited on signal 11
2014/07/07 23:21:36 [alert] 1818#0: worker process 7470 exited on signal 11
2014/07/07 23:21:37 [alert] 1818#0: worker process 4447 exited on signal 11
(just once per attempt, of course).
Connecting with HTTP (instead of HTTPS), results in a different errors:
"You require encryption, but it is not available on this server."
I get this error regardless of the value for consider_bosh_secure.
If I disable encryption on pidgin (just as a test, because HTTP+plain-text
is an awful idea), that *does* work.
> Regards,
> Matthew
>
Thanks,
--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?
pgp39k2IzzS5C.pgp
Description: PGP signature
