Jabber: Secured Web Chat

To make the Jabber web chat work securely, do the following.

  • Install Apache with mod_proxy and mod_proxy_http support.
  • Enable the respective mods in Apache config.
    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_http_module modules/mod_proxy_http.so
  • Assuming that the web-chat directory is named jabber and located in the root of the DocumentRoot directory of the Apache web server, do the following:
    1. In normal VHOST setup file (00_default_vhost.conf), enforce the HTTPS mode by appending in the <VirtualHost> section:
              RewriteEngine On
              RewriteCond %{HTTPS} off
              RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
    2. In SSL VHOST setup file (00_default_ssl_vhost.conf), proxy all requests containing the word “jabber” into the jabber directory:
              RewriteEngine On
              ProxyPass ^/jabber$ https://DOMAIN.TLD:5280/jabber
              ProxyPassReverse ^/jabber$ https://DOMAIN.TLD:5280/jabber
      
  • Restart/Reload Apache.
  • Now, update the Prosody config file (prosody.cfg.lua) to accept http-bind (bosh) connections by inserting the following before the Virtual hosts section setup:
    bosh_ports = {
                     {
                        port = 5280;
                        path = "jabber";
                        ssl = {
                                 key = "/PATH-TO-YOUR-JABBER-CERTS/certfile.key";
                                 certificate = "/PATH-TO-YOUR-JABBER-CERTS/certfile.crt";
                              }
                     }
                  }
    
  • And restart/reload Prosody.
  • Install the specific webchat, e.g. Jappix, in the jabber (Apache) directory and open the https://DOMAIN.TLD/jabber URL. The HTTP request should be automatically forwarded to the HTTPS one.

Troubleshooting

It is useful to have the certificates trusted, i.e., signed by a trusted certification authority. See the how-to for details.

In case anything goes wrong, search for some hints and details in the following logs:

  • Apache logs (esp. errors logs)
  • Prosody logs (esp. debug logs)
  • Setup of the webchat

Instead of browser requests, you can send the HTTPS request using the curl command, for instance:

curl https://DOMAIN.TLD/jabber

or

curl https://DOMAIN.TLD:5280/jabber

That should help as well.

Advertisements
This entry was posted in Linux, Security, Server and tagged , , , , , , , , . Bookmark the permalink.