close

This means I get to federate to official movim servers!

I just need to wait until my ratelimit for let's encrypt resets, but it doesn't matter right now because movim servers don't care whether the certificate is CA-issued.

  • favorite

    1 Like

    Timothée Jaussoin

Pure Nginx external HTTP upload

As i leraned yesterday, the Movim requires HTTP upload servico on XMPP server, which i have not enabled yet. After fast look i found two Prosody's modules, which provides it. Because i don't believe Prosody's HTTP server (eg. not SNI support yet), i focus to its external HTTP upload module, which require external service.

Background

The mod_http_upload_external page describes some external solutions:

  1. the PHP and Go solution is not for me...
  2. the most close to my experiences goes the Python's solution, but i want to avoid external daemon, especially the Flask one, despite that i have all needed for it installed and used already (uWSGI, Flask, Python3, ...), because i know its performance limits and memory requirements.
  3. which interested me, is Nginx's Perl module. I consider this as good solution, ecause Debian's Nginx comes with Perl support via dynamic module. I am not very familiar with Perl and this implementation sounds as very simple task...

I decided to try to utilize the Nginx's built-in DAV module and some external modules, namely HMAC Secure link and (as i learn later) Set misc.

The DAV module itself provides support for PUT requests, nothing special. The "HMAC secure link" module is able to verify HMAC signature, but it cannot handle prosody's HMAC-SHA256 digest directly, because it expects Base64URL encoded HMAC, there is need to encode Prosody's hex string, which allows the "Set Misc" module in two steps, first decode hex string into binary value, and then then encode it as Base64 string.

Nginx location

After some playing i got this location config. Some point about:

  • here are two nested locations, not really needed, but Nginx search all regex global locations on any request, what can a litle reduce performance, this limits searching this location only for chosen prefix
  • nested location uses regular expression capture group, to eliminate prefix form URI, without needing map directive
  • nested location doesn't properly handles the missing token, while there is an if directive for it at start of location, it returns 500 code
  • nested location properly handles 409 response on existing file and 403 response on bad or missing token by some Nginx's set directive magic
location /xmpp {
    root                    /srv;

    location ~ /xmpp/(?<fpath>.+)$ {
        dav_methods             PUT;
        create_full_put_path    on;                     # create directory, if needed
        dav_access              user:rw group:rw all:r; # set permissions
        client_max_body_size    100m;                   # default prosody's body size is 100 MB

        # encode $arg_v into Base64URL digest
        set                             $digest $arg_v;
        set_if_empty                    $digest "00";
        set_decode_hex                  $digest;
        set_encode_base64               $digest;

        # verify $digest
        secure_link_hmac                $digest;
        secure_link_hmac_secret         "123456";
        secure_link_hmac_algorithm      sha256;
        secure_link_hmac_message        "$fpath $content_length";

        # handle missing token
        set                         $missing $request_method$arg_v;
        if ($missing = "PUT")            {return 403;}

        # do not overwrite existing file
        if (-e $request_filename)   {set $exists $request_method;}
        if ($exists = "PUT")        {return 409;}

        # handle bad HMAC token
        if ($request_method = "PUT") {set $verified $request_method$secure_link_hmac;}
        if ($verified = "PUT")      {return 403;}
    }
}

The missing token (and related 500 response) can be solved by set_if_empty directive, but i didn't play with it. solved.

Testing

I prefer shell testing of HTTP services, because i can do some scripts for it. Here is simple script to generate HMAC token and fire PUT request with it. It is not very intelligent, all things are hardcoded inside variables, but as an inspiration:

kluc="123456"
subor="/tmp/aaa.txt"

velk=$(stat --printf="%s" "$subor")

text="${subor#/tmp/} $velk"

hmac=$(echo -n "$text" | openssl dgst -sha256 -hmac "$kluc" | cut -d" " -f2 )
echo "v=$hmac"

wget -qO- --server-response --body-file="$subor" --method=PUT \
    https://bonifac.skk/xmpp/aaa.txt?v=${hmac}

Conclusion

I am sure, that this solution can provide better performance than ĺinked Flask module, but I am not happy with this solution, because i see some problems:

  • while it is basically working, the "HMAC Secure link" module expects Base64URL encoded token, but "Set misc" module can provide only pure Base64 encoding, thus some combinations of the filename and size can be refused
  • it requires two external modules, which are not included in standard Debian package, and thus recompilation of Nginx can be required

I spent some hours with this (including repackaging Nginx, reading docs, coffee and launch pause, etc), but it was wasted time. Next i will try the linked Perl Nginx's module. If someone know how to solve the Base64URL encoding problem, i will be happy if (s)he will share it.

  • favorite

    1 Like

    preptorrent

  • Be chevron_right

    Berlin Online XMPP Sprint 2020

    debacle · pubsub.movim.eu / berlin-xmpp-meetup · Sunday, 22 March, 2020 - 00:47 edit

Berlin Online XMPP Sprint 2020

The planned XMPP sprint in Berlin from Thursday, 2020-03-26 to Sunday, 2020-03-29, will take place despite the current crisis. But instead of an in-person meeting, it will be an online event!

We will mainly use the XMPP group chat xmpp:xmpp-sprint@chat.cluxia.eu?join for all coordination, and multiple Jitsi instances for audio/video conferencing, maybe also mumble for voice chat.

Please find all details in the wiki and consider participation! This time, there are neither travel nor hotel costs! https://wiki.xmpp.org/web/Sprints/2020_March_Berlin

See you at the Berlin Online XMPP Sprint! Berlin is whereever you are!

#xmpp #sprint #event #community #hacking #freesoftware #uwpx #beagleim #siskinim #xmppjs #omemo #kaidan #smack #dino #omemo #prosody #xmpprs #salutatoi #debian #jitsi

  • favorite

    1 Like

    DebXWoody

  • chevron_right

    Trying to get Movim running at home...

    Roelof Pieter · Tuesday, 16 May, 2017 - 20:22 edit · 3 minutes

This is a description of the problems I encountered when trying to install a Movim "compatible" XMPP server. This is mainly a reminder to myself, in case I want to try again in some time. I have written this in afterwards, and some of the details have blurred. Be skeptical of everything you read here :-)

#movim #ejabberd #prosody

So, I've been trying to get a complete Movim "suite" running on my Raspberry Pi @ home. For me this means running the following components:

  1. Movim itself
  2. A web server for presenting the Movim interface (Nginx)
  3. A database server for storing Movim "stuff" (MySQL/MariaDB )
  4. A XMPP server for the actual transportation of messages and storage of "content"

I did already have Nginx and MySQL running. Installing Movim was quite straightforward, thanks to the instructions in the wiki. Also, I had already implemented things like DNS (a .nl domain through Yourhosting) and encryption using Letsencrypt. The tough nut to crack here is the XMPP server. I haven't been able to get this running in a way that I can fully enjoy Movim.

First up: Prosody.

I already had Prosody running as an alternative to the evil "Whatsapp". I use it mainly for chatting with my wife, who of course also has a Whatsapp account. She always looks a bit weary of me when we use Conversations. So, since it was already there, I tried this first. Despite the warnings that it has some drawbacks. Well, it works fine as a chat client, but the "news" section is disabled. The configuration section tells me that Movim is working in a "degraded" mode. Trying to get it running has at least had me configure http_upload (XEP-0363) so file uploading works better now.

Next Ejabberd (Version 15.X)

So, use my Raspberry Pi for many things. It's main purpose however is running as a media-center running Kodi. For this reason I have installed OSMC as it's operating system. It is basically Raspbian, optimized for playing media. Being based on Raspbian it means there are a lot of packages available. Amongst them Ejabberd, albeit in an old version (14.07) . I installed Ejabberd and disabled prosody. After plowing through the terrible configuration file* (in Yaml, which was new for me) in the end I finally had it running. Chat works and Movim appears in it's full glory (with "News"). The only thing missing is the ability to upload files/photo's to it. But hey, there is a module for that. I couldn't get it running though. A lot of scary errors, that I forgot to write down though :-( . I Googled a lot (well Duckduckgo'd) but the suggested configurations all led to an error and a crash of Ejabberd. So, this was no good either.

Finally, Ejabberd (17.04) from source

As there was no later version of Ejabberd as a package available, I decided to just download the source of more recent version of Ejabberd. After remembering how this compiling goes, I did a "./configure --enable-user ejabberd & make & make install". Installation was fine. But here also I have a problem with mod_http_upload. Gajim, which I use for testing my XMPP account, with the http-upload-plugin recognizes the possibility to upload a file. I see in the logging that the upload request reaches the server and is processed, without error by the server, but the file doesn't seem to end up anywhere on the server. Gajim just tells me there is a HTTP error. Conversations only tells me the upload has failed. I spent several hours trying different combinations of configurations, mainly trying alternating docroots, but to no avail.

So, nope... (for now)

So, by now I have given up for now. Perhaps I will try Ejabberd later again. With some more luck I might succeed. I have prosody running again, for chatting with my wife. If I understand correct, in the next version 0.10 (or the next 0.11) Pep persistence might be available in prosody, making it run better with Movim.

  • ) Yes, I know there is a web-interface but I found the screen shots not very promising. I go the impression it was mainly for day-to-day administration, and not for setting the damn thin up. And, it more easy and therefore not nearly as cool :-) .