picoenterprise:xmpp
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
picoenterprise:xmpp [2013/12/01 14:24] Olivier Brugman [server administration] |
picoenterprise:xmpp [2013/12/09 16:49] (current) Luc Nieland [video-bridge] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | =====XMPP===== | + | ======video conferencing====== |
| + | |||
| + | =====XMPP-server===== | ||
| Many people communicate on a day to day basis using tools like Google Hangouts, Skype, Whatsapp and what have you. What do most of these tools have in common? Well, though they're meant to communicate, they're only open as long as you communicate with other people who make use of the same proprietary solution, i.e. they don't support open standards like XMPP or SIP. Google used to support XMPP in Google Talk, however XMPP isn't supported anymore since they moved to the current Google Hangouts. | Many people communicate on a day to day basis using tools like Google Hangouts, Skype, Whatsapp and what have you. What do most of these tools have in common? Well, though they're meant to communicate, they're only open as long as you communicate with other people who make use of the same proprietary solution, i.e. they don't support open standards like XMPP or SIP. Google used to support XMPP in Google Talk, however XMPP isn't supported anymore since they moved to the current Google Hangouts. | ||
| Line 26: | Line 28: | ||
| ===prepare firewall=== | ===prepare firewall=== | ||
| - | After installation of the ejabberd server, several TCP-ports will be opened up on the server. It's advisable to only allow external traffic to and from the following ports (assuming you don't change the default values): | + | After installation of the ejabberd server, several TCP-ports will be opened up on the server. It's advisable to only allow external traffic to and from the following ports (as long as you don't change the default values): |
| - | * port 4369 # don't allow external access to epmd, though we need it locally for the ejabberdctl tool | + | |
| - | * port 5222 # allow XMPP-client traffic | + | ==allow for public== |
| - | * port 5269 # allow XMPP-server traffic | + | * tcp/5222 # XMPP-client traffic |
| - | * port 5280 # don't allow HTTP admin-interface on the wild wide web | + | * tcp/5269 # XMPP-server traffic |
| - | * port 7777 # allow file transfer via mod_proxy65 ([[http://xmpp.org/extensions/xep-0065.html|SOCKS5 bytestreams]]) | + | * tcp/7777 # XMPP-filetransfer traffic (via mod_proxy65 ([[http://xmpp.org/extensions/xep-0065.html|SOCKS5 bytestreams]]) |
| + | |||
| + | ==allow for admin only== | ||
| + | * tcp/4369 # ejabberdctl tool | ||
| + | * tcp/5280 # HTTP admin-interface | ||
| + | * tcp/5275 # video-bridge traffic | ||
| ====install ejabberd server==== | ====install ejabberd server==== | ||
| Line 39: | Line 46: | ||
| apt-get install ejabberd | apt-get install ejabberd | ||
| + | |||
| | | ||
| ====server configuration==== | ====server configuration==== | ||
| - | During the installation process a basic setup is stored in the ejabberd database (this is a mnesia-database as ejabberd is written in Erlang). Let's customize the hewly created ejabberd configuration. The main configuration file is /etc/ejabberd/ejabberd.cfg | + | During the installation process a basic setup is stored in the ejabberd database (this is a mnesia-database as ejabberd is written in Erlang). Let's customize the newly created ejabberd configuration. The main configuration file is /etc/ejabberd/ejabberd.cfg |
| When you take a look at this file you'll notice that comments start with '% %' characters, and lines finish with a ‘.’ character. Ok, first we have to tell ejabberd that we want to override the initial configuration. | When you take a look at this file you'll notice that comments start with '% %' characters, and lines finish with a ‘.’ character. Ok, first we have to tell ejabberd that we want to override the initial configuration. | ||
| Uncomment the 'override_acls.'-directive: | Uncomment the 'override_acls.'-directive: | ||
| Line 57: | Line 65: | ||
| ... | ... | ||
| %% Admin user | %% Admin user | ||
| - | {acl, admin, {user, "zebigboss", "example.com"}}. | + | {acl, admin, {user, "fred", "example.com"}}. |
| ... | ... | ||
| | | ||
| Line 75: | Line 83: | ||
| ... | ... | ||
| - | Now let's adjust the default listener so that ejabberd also supports IPv6. In addition, we want TLS to be required for all of the client connections. The self-signed certificate '/etc/ejabberd/ejabberd.pem' has been created by debconf. Of course you could use your own certificate instead. | + | Now let's adjust the default XMPP client-listener (c2s) so that ejabberd also supports IPv6. In addition, we want TLS to be required for all of the client connections. The self-signed certificate '/etc/ejabberd/ejabberd.pem' has been created by debconf. Of course you could use your own certificate instead. |
| ... | ... | ||
| Line 90: | Line 98: | ||
| ... | ... | ||
| | | ||
| - | And if you change the name/location of the certificate, don't forget to check the server to server-directive around line numer 206 of the configuration file: | + | |
| + | Now we want to also allow inter XMPP-server traffic (s2s) over IPv6. Here we don't have to add a starttls-directive as tls is enabled by default for s2s traffic. | ||
| + | |||
| + | ... | ||
| + | {5269, ejabberd_s2s_in, [ | ||
| + | inet6, | ||
| + | {shaper, s2s_shaper}, | ||
| + | {max_stanza_size, 131072} | ||
| + | ]}, | ||
| + | ... | ||
| + | |||
| + | and further below we can modify these optione: | ||
| + | |||
| + | ... | ||
| + | %% | ||
| + | %% Outgoing S2S options | ||
| + | %% | ||
| + | %% Preferred address families (which to try first) and connect timeout | ||
| + | %% in milliseconds. | ||
| + | %% | ||
| + | %%{outgoing_s2s_options, [ipv4, ipv6], 10000}. | ||
| + | {outgoing_s2s_options, [ipv6, ipv4], 5000}. | ||
| + | ... | ||
| + | |||
| + | |||
| + | If you change the name/location of the certificate, don't forget to check the server to server-directive around line numer 206 of the configuration file: | ||
| ... | ... | ||
| Line 111: | Line 144: | ||
| netstat -nalp |egrep '5222|5269' | netstat -nalp |egrep '5222|5269' | ||
| | | ||
| + | If you encounter any UUP's (i.e. Unidentified Unsolved Problems), you might want to increase the ejabberd server's loglevel from 4 to 5: | ||
| + | |||
| + | ... | ||
| + | {loglevel, 5}. | ||
| + | ... | ||
| + | |||
| ====server administration==== | ====server administration==== | ||
| Line 119: | Line 158: | ||
| You can create and register a new user like so: | You can create and register a new user like so: | ||
| - | ejabberdctl register user1 example.com 'h1spassw00rd' | + | ejabberdctl register fred jabber.example.com 'h1spassw00rd' |
| + | ejabberdctl register user2 jabber.example.com 'h1spassw00rd' | ||
| + | ejabberdctl register user3 jabber.example.com 'h1spassw00rd' | ||
| Look who is connected to your server: | Look who is connected to your server: | ||
| Line 126: | Line 167: | ||
| ejabberdctl connected_users_info | ejabberdctl connected_users_info | ||
| - | There is also a small admin webinterface you can check out at: | + | There is also 'Web Admin', a small admin webinterface you can check out at: |
| - | http://example.com:5280/admin | + | http://jabber.example.com:5280/admin |
| | | ||
| - | However we prefer the cli :-) | + | More information on 'Web Admin' is available at [[http://www.process-one.net/docs/ejabberd/guide_en.html#htoc75|http://www.process-one.net/docs/ejabberd/guide_en.html#htoc75]] |
| + | |||
| + | However, we prefer the cli anyway :-) | ||
| + | |||
| + | |||
| + | |||
| + | ====video-bridge==== | ||
| + | For conferencing by using a central-server, with all clients connected to this in a star-topology, a bridge is available from jitsi. It is named 'video-bridge'. | ||
| + | |||
| + | |||
| + | ===installation=== | ||
| + | |||
| + | Get the software from https://download.jitsi.org/jitsi-videobridge/linux/ | ||
| + | |||
| + | Create a useraccount: | ||
| + | groupadd jitsi | ||
| + | useradd -d /opt/jitsi-videobridge-linux-x64 -s /bin/bash -g jitsi jitsi | ||
| + | chown -R jitsi.jitsi /opt/jitsi-videobridge-linux-x64 | ||
| + | |||
| + | |||
| + | Add an entry to /etc/hosts | ||
| + | ... | ||
| + | 1.2.3.4 yourhostname.example.com yourhostname jitsi-videobridge.jabber.example.com | ||
| + | ... | ||
| + | |||
| + | |||
| + | Install software from the debian-repository: | ||
| + | |||
| + | apt-get install unzip default-jre-headless | ||
| + | |||
| + | |||
| + | Install the video-bridge: | ||
| + | su - jitsi | ||
| + | unzip /tmp/jitsi-videobridge-linux-x64-65.zip | ||
| + | mv jitsi-videobridge-linux-x64-65/lib . | ||
| + | mv jitsi-videobridge-linux-x64-65/jvb.sh . | ||
| + | mv jitsi-videobridge-linux-x64-65/jitsi-videobridge.jar jitsi-videobridge-v65.jar | ||
| + | |||
| + | |||
| + | |||
| + | Create a start-script /opt/jitsi-videobridge-linux-x64/start-bridge with content: | ||
| + | |||
| + | #!/bin/bash | ||
| + | HOME="/opt/jitsi-videobridge-linux-x64-63" | ||
| + | ${HOME}/jvb.sh --secret=VerySecretpw --domain='jabber.example.com' --host='localhost' --port=5275 | ||
| + | |||
| + | |||
| + | Set the properties: | ||
| + | |||
| + | chmod 700 start-bridge | ||
| + | |||
| + | |||
| + | Now we have to make some additions/changes to the /etc/ejabberd/ejabberd.cfg | ||
| + | |||
| + | Add a listener in the ejabberd Use the same port as mentioned above. | ||
| + | |||
| + | ... | ||
| + | {5275, ejabberd_service, [ | ||
| + | {host, "jitsi-videobridge.jabber.example.com", [{password, "VerySecretpw"}]} | ||
| + | ]}, | ||
| + | ... | ||
| + | |||
| + | Raise the traffic-shaper values in ejabberd | ||
| + | |||
| + | ... | ||
| + | %% | ||
| + | %% The "normal2" shaper limits traffic speed to 300.000 B/s while using the jitsi-videobridge | ||
| + | %% | ||
| + | {shaper, normal2, {maxrate, 100000}}. | ||
| + | ... | ||
| + | |||
| + | |||
| + | Activate the trafficshaper, at the paragraph 'ACCESS RULES' and replace normal for normal2: | ||
| + | |||
| + | ... | ||
| + | %% For all users except admins used "normal" shaper | ||
| + | {access, c2s_shaper, [{none, admin}, | ||
| + | {normal2, all}]}. | ||
| + | ... | ||
| + | |||
| + | |||
| + | Restart ejabberd. | ||
| + | |||
| + | Check for the Listener-port to open. | ||
| + | |||
| + | |||
| + | Start the bridge by running the start-bridge script as the user jitsi: | ||
| + | nohup ./start-bridge & | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | =====XMPP-client===== | ||
| + | |||
| + | Use the client from http://www.jitsi.org | ||
| + | |||
| + | |||
picoenterprise/xmpp.1385904248.txt.gz · Last modified: 2013/12/01 14:24 by Olivier Brugman
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
