-1

There is a connection on two ports ... on 5288 users connect via a web socket from a browser, on 5222 via regular clients ... when there are no access restrictions, everything connects, everything works ... if I add access only to admin on client port 5222 , then the websocket on 5288 starts to flow "Access denied by service service. SASL binding failed." ... the question is, is it possible to divide access by ports? Where can I twist it?

listen:
  -
    port: 5288
    module: ejabberd_http
    request_handlers:
      "/ ws": ejabberd_http_ws
    web_admin: true
  -
    port: 5222
    module: ejabberd_c2s
# access:
# - allow: admin
IPcorp
  • 1
  • 3
  • Looking at ejabberd_http_ws.erl source code, I see some code that specifically gets and applies the limitations configured for the FIRST ejabberd_c2s port listener. Just a wild idea: configure two c2s ports: the first one for the ws, and block it in the firewall. Then another c2s port for admins. – Badlop Jan 04 '19 at 10:45

1 Answers1

0

Some time later...in the serverfault galaxy...

I'm going to work with ejabberd, so...I spent some time for learning Erlang.If I understood everything correctly, it was possible that it was conceived that for the modules "http" and "c2s" the attribute "access" is common. Moreover, the "ejabberd_http" module does not have this attribute at all. When reading the configuration, only the first "access" for the first read "ejabberd_c2s" is always taken. But, as I wrote in the question, this is not my case. I needed separate access rights for "http" and "c2s". To solve the problem:

  1. Just for the order, I created a separate file "ejabberd_http_config.erl" (copy of "ejabberd_c2s_config.erl"), changing the function "get_c2s_limits/0":
...
get_http_limits() ->
    HttpListen = ejabberd_config:get_option(listen, []),
    case lists:keysearch(ejabberd_http, 2, HttpListen) of
    false -> [];
    {value, {_Port, ejabberd_http, Opts}} ->
        select_opts_values(Opts)
    end.
...
  1. Added the tuple "{access, all}" to the "listen_options/0" function in the "ejabberd_http.erl" function.
  2. In "ejabberd_http_ws.erl" in the function "init/1" corrected the line "Opts = ejabberd_c2s_config: get_c2s_limits () ++ SOpts," to "Opts = ejabberd_http_config: get_http_limits () ++ SOpts,".

Then I simply compiled these 3 files and uploaded the modules with the replacement to the server. Restarted server and voila. Now you can set access separately for "http" and for "c2s". Now Gajim (port 5222) connects only under the administrator's login, and at the same time the websocket (port 5288) is available for all connections (the default is "access: all", unless explicitly specified).

IPcorp
  • 1
  • 3