1

In ejabberd 18.01-2, installed in lxc container Ubuntu 18.04 Bionic LTS using apt, I'm trying to setup mod_http_upload.

In the section listen, I have

listen:
  -
    port: 5444
    module: ejabberd_http
    tls: true
    request_handlers:
      "/upload": mod_http_upload

In the configuration file, commented port was 5444, however, in the current documentation, it is 5443, so I am not sure which one is right.

In the modules section, I have

modules:
  mod_http_upload:             
    host: "upload.ejabberd.forumanalogue.fr"
    max_size: infinity                                       
    thumbnail: true              
    put_url: "https://ejabberd.forumanalogue.fr:5444/upload"
    docroot: "/ejabberd/upload"

When I start the service, I can see an odd message in the logs

2019-11-11 21:02:35.287 [warning] <0.367.0>@ejabberd_pkix:handle_call:255 No certificate found matching 'upload.ejabberd.forumanalogue.fr': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)

It is strange because I have a signed wildcard certificate.

certfiles:                                                               
  - "/etc/letsencrypt/live/forumanalogue.fr/*.pem"

I can see the service with my client (Gajim) but when I try to send a file to another local account, I receive an error Access denied by service policy, see the complete log:

<iq xml:lang='en' to='foo@forumanalogue.fr/gajim.HCLJ4BZI' from='upload.ejabberd.forumanalogue.fr' type='error' id='1dd35274-90e9-4b3b-9608-0fab59afe34e'>
<request xmlns='urn:xmpp:http:upload'>
<filename>a.out</filename>
<size>27232</size>
<content-type>application/octet-stream</content-type>
</request>
<error code='403' type='auth'>
<forbidden xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
<text xml:lang='en' xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>Access denied by service policy</text>
</error>
</iq>

I had to enable debug logging in order to see something. It is quite verbose, but I think that the relevant part, which is non redundant with the client message, is

2019-11-11 20:53:08.329 [debug] <0.501.0>@mod_http_upload:process_slot_request:544 Denying HTTP upload slot request from foo@forumanalogue.fr/gajim.HCLJ4BZI

Thank you for your help.

Clèm
  • 424
  • 3
  • 14

1 Answers1

1

I tried with ejabberd 18.01, a configuration similar to yours, and it works for me.

Looking at the source code, that "process_slot_request:544 " error means that the account attempting to use the upload feature is not allowed by the "local" Access rule in the vhost it sended it to. Probably it's a remote account. Remote to that upload service. In other words, the service upload.whatever can only be used by accounts like user12@whatever.

In your case, you are attempting to use upload.ejabberd.forumanalogue.fr from account foo@forumanalogue.fr, which is not local to that upload service.

Several ideas, I hope one of them suits your specific setup:

A) don't mess with vhosts. If it's forumanalogue.fr, keep it that everywhere

B) use @HOST@ in host and put_url options

C) Or if you really want to mess with hosts, then add Access rights so accounts in that vhost are considered "local" to the upload service.

Badlop
  • 3,840
  • 1
  • 8
  • 9