Jabber/XMPP and ICQ transport through a Squid proxy using port 443 (https)
Company network setups are sometimes cumbersome
I’m running my own Jabber server for quite a while using ejabberd. I was a bit uncertain if an Erlang based application is the right for me, but ejabberd runs just fine.
At some point I ran into the problem that my new company only allow access to the internet via a Squid proxy server. I therefore wasn’t able to connect to my server any longer sigh I was looking for some alternatives that would allow me to have ICQ at my fingertips as well.
I came across the ICQ transport for Jabber/XMPP and that gave me the idea to use that transport on my server and connect to it on port 443. The idea is not new and if you look at the ejabberd tutorials page you’ll figure that out very easily. OK, the mission was clear and now the realisation was missing.
Step 1: ICQ transport installation
This is straight forward on my Debian Lenny system. I simply use shellaptitude install pyicqt
to install the ICQ transport itself.
The configuration is done on the ICQ transport site in the file /etc/pyicqt.conf.xml
. In that file I change four settings basically: JID, mainServerJID, port and secret.
<jid>icq.domain.tld</jid>
<mainServerJID>domain.tld</mainServerJID>
<port>1234</port>
<secret>verysecret</secret>
The same settings have to be added to the ejabberd configuration file /etc/ejabberd/ejabberd.cfg
of course.
% Jabber ICQ Transport
{1234, ejabberd_service, [{ip, {127, 0, 0, 1}},
{access, all},
{hosts, ["icq.domain.tld"], [{password, "verysecret"}]}]},
Restart both services and that’s it.
Step 2: Add entries to your DNS
I think this step is optional, but I’ll mention it anyway otherwise I’d forget what I’ve done…
jabber A 1.2.3.4
icq CNAME jabber
_jabber._tcp.domain.tld. IN SRV 0 0 5269 jabber.domain.tld.
_xmpp-server._tcp.domain.tld. IN SRV 0 0 5269 jabber.domain.tld.
_xmpp-client._tcp.domain.tld. IN SRV 0 0 5222 jabber.domain.tld.
HINT: Take care about the dots at the end of the domain names.
Step 3: Use port 443 for Jabber/XMPP
This one was a bit tricky and it took me some time to figure out how to solve this. Yes, RTFM
and reading the logs would’ve been a big advantage.
Since I want to use port 443 (https) for an actual web server as well, I need to use different IP addresses for both services. I therefore bound my Apache to one IP, e.g. 1.2.3.1 and my ejabberd to the IP 1.2.3.4 at least for the port 443.
The configuration of ejabberd allows you to use specify the IP address and port for a service quite easily and this was my first approach. But it didn’t work out. The problem is using ports below 1024 with ejabberd. This can be done by processes started by root only which isn’t the case here.
The solution is quite simple: Use your firewall to forward all incoming packages on port 443 for your Jabber IP (1.2.3.4 in our case) to port 5222 (the default Jabber port) for that IP.
iptables -t nat -A PREROUTING -p tcp -m tcp -d 1.2.3.4 --dport 443 -j DNAT --to-destination :5222
If you’d like to keep your rules even after the next reboot you maybe like to follow the explanation at Getting IPTables to survive a reboot.
I’d like to mention that it’s very easy to merge your contacts to your Jabber-IM using PSI. AFAIK Pidgin doesn’t support the XMPP service discovery which could make this quite hard on the other hand.