On 1/1/08, Daniel Pocock <[EMAIL PROTECTED]> wrote:
> >
> Just as long as it makes the problem obvious - I was a little confused
> when I changed the configuration and there was no obvious impact.
The actual problem was that the logging facility wasn't started yet,
so error messages didn't reach the log file. The message looks like
the following:
E(<0.242.0>:ejabberd_listener:80): Failed to open socket for {222,
ejabberd_c2s,
[{access,c2s},
{max_stanza_size,
65536},
starttls,
{certfile,
"/etc/ejabberd/ejabberd.pem"},
{shaper,
c2s_shaper}]}: eacces
which rooks reasonably understandable.
>
> >> Why this is important, documentation:
> >> - for usage of Jabber to spread, we must make it easy to get through
> >> firewalls
> >> - many corporate firewalls, by default, will only allow the `HTTP
> >> Connect' proxy method to connect to servers on port 443
> >> - configuring ejabberd to listen on port 443 is a very effective way
> >> to allow incoming connections from users who are behind firewalls
> >>
> >
> > I don't agree that it's important. I think that all services should be
> > bound to their assigned ports. Otherwise the system becomes a mess.
> > From the other hand, do you really think that "corporate firewalls"
> > are set by evil people just to prevent XMPP to spread? BTW, if you
> > want Jabber server to listen at port 443 you can redirect it by a
> > firewall.
> >
> >
> I agree - in a default configuration - we should only use assigned ports.
>
> In practice, we should give users the information to configure it for
> their needs:
> - Many companies have a policy permitting email and instant messaging,
> for productivity reasons.
> - Google Talk provides a way for people to do Jabber through a HTTP
> firewall (using a flash client). MSN and others also work through HTTP
> proxies.
> - If firewall administrators really want to be secure, they would not
> offer the `HTTP Connect' service. For example, security concious
> companies typically don't provide any Internet access from those LAN
> segments that need real security. Those machines are on separate
> networks with extra firewalls and modified routing tables.
> - When someone is at a hotel, an airport, or a friends house, they may
> otherwise be unable to use Jabber. They need to either pre-configure
> their Jabber server on port 443, or install a web based Jabber client on
> their web server (which may mean limited features).
> - Consequently, although it is non-standard, it is quite legitimate and
> often quite desirable for people installing this package to want to use
> port 443.
> - In my own case, I put an extra IP address on the server, just for
> Jabber. That way, I can have ejabberd listening on (jabber IP):443, and
> I have an Apache process listening on (another IP):443. Therefore,
> using the https port for ejabberd client connections doesn't
> inconvenience me at all.
I think that it's faily easy to redirect TCP connections using
iptables, so I isn't so important to be able to bind privileged ports.
A simple example will be included into README.Debian.
--
Sergei Golovan
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
