Hi John, [email protected] wrote: > I am still digesting the complexities of how SOCKS5 proxies for > bytestreams are negotiated. > I am working on determining if I can use a private proxy server in this > context and restrict the proxy servers use. > > Authentication is the only way I could think of.
Take a look at part 4.4 of XEP-0065, particularly Example 9. The step where the XMPP client asks the S5B proxy over XMPP for its network address is allowed to return a <forbidden/> error if the requesting client is not allowed to use the proxy. This means the proxy can have a whitelist of JIDs or servers which it will relay for, and refuse the others. You could therefore eg allow any JID on your server, and anyone on any other server who has registered for the service (and you've authenticated their JID, eg by IMing them a URL). This works as far as you trust the XMPP servers you've federated with to not monkey with you for free relaying. You can also apply whatever limits you want on the servers you consider trustworthy enough, eg maintain a whitelist, or only allow federation with servers that use TLS for S2S, or start out with totally open federation (using DNS dialback) and look into locking it down further if it becomes a problem. Regards, Rob -- Robert McQueen +44 7876 562 564 Director, Collabora Ltd. http://www.collabora.co.uk _______________________________________________ telepathy mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/telepathy
