xmpp-proxy is a reverse proxy for XMPP servers, providing STARTTLS and TLS over plain-text XMPP connections and limiting stanza sizes without an XML parser.
xmpp-proxy will listen on any number of interfaces/ports and accept any STARTTLS or Direct TLS c2s or s2s connections, terminate TLS, and connect them to a real XMPP server, limiting stanza sizes as configured.
cargo install xmpp-proxymkdir /etc/xmpp-proxy/ && cp xmpp-proxy.toml /etc/xmpp-proxy//etc/xmpp-proxy/xmpp-proxy.toml as needed, file is annotated clearly with comments/etc/xmpp-proxy/, if your key has "RSA PRIVATE KEY" in it, change that to "PRIVATE KEY":
sed -i 's/RSA PRIVATE KEY/PRIVATE KEY/' /etc/xmpp-proxy/le.keychown -Rv 'systemd-network:' /etc/xmpp-proxy/Usage: xmpp-proxy [/path/to/xmpp-proxy.toml (default /etc/xmpp-proxy/xmpp-proxy.toml]Add these to modulesenabled:
"secure_interfaces";
"net_proxy";
Until prosody-modules is updated, use my patched version of modsecure_interfaces.lua
which also works for s2s.
Add this config: ``` -- trust connections coming from these IPs secure_interfaces = { "127.0.0.1", "::1" }
-- handle PROXY protocol on these ports proxyportmappings = { [15222] = "c2s", [15269] = "s2s" }
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now) -- you might need to comment these out further down in your config file if you set them c2sports = {} legacysslports = {} -- you MUST have at least one s2sports defined if you want outgoing S2S to work, don't ask.. s2s_ports = {15269} ```
Copy prosody's TLS key to /etc/xmpp-proxy/le.key and TLS cert to /etc/xmpp-proxy/fullchain.cer, and use the provided
xmpp-proxy.toml configuration as-is.
GNU/AGPLv3 - Check LICENSE.md for details