25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-11-24 16:23:40 +01:00

* doc/guide.tex: Added explanations about epmd, cookie and node

name (EJAB-251)

SVN Revision: 1027
This commit is contained in:
Badlop 2007-12-05 18:53:09 +00:00
parent 1e1f15aa61
commit 720b57a235
2 changed files with 83 additions and 6 deletions

View File

@ -1,5 +1,8 @@
2007-12-05 Badlop <badlop@process-one.net> 2007-12-05 Badlop <badlop@process-one.net>
* doc/guide.tex: Added explanations about epmd, cookie and node
name (EJAB-251)
* src/msgs/zh.msg: Updated (thanks to Shelley Shyan) * src/msgs/zh.msg: Updated (thanks to Shelley Shyan)
* src/mod_muc/mod_muc_room.erl: Rephrase the invitation sentence * src/mod_muc/mod_muc_room.erl: Rephrase the invitation sentence

View File

@ -3379,16 +3379,90 @@ You need to take the following TCP ports in mind when configuring your firewall:
\centering \centering
\begin{tabular}{|l|l|} \begin{tabular}{|l|l|}
\hline Port& Description\\ \hline Port& Description\\
\hline \hline 5222& SASL and unencrypted c2s connections.\\ \hline \hline 5222& Standard port for Jabber/XMPP client connections, plain or STARTTLS.\\
\hline 5223& Obsolete SSL c2s connections.\\ \hline 5223& Standard port for Jabber client connections using the old SSL method.\\
\hline 5269& s2s connections.\\ \hline 5269& Standard port for Jabber/XMPP server connections.\\
\hline 4369& Only for clustering (see~\ref{clustering}).\\ \hline 4369& Port used by EPMD for communication between Erlang nodes.\\
\hline port range& Only for clustring (see~\ref{clustering}). This range \hline port range& Used for connections between Erlang nodes. This range is configurable.\\
is configurable (see~\ref{start}).\\
\hline \hline
\end{tabular} \end{tabular}
\end{table} \end{table}
\section{epmd }
\label{epmd}
\footahref{http://www.erlang.org/doc/man/epmd.html}{epmd (Erlang Port Mapper Daemon)}
is a small name server included in Erlang/OTP
and used by Erlang programs when establishing distributed Erlang communications.
ejabberd needs \term{epmd} to use \term{ejabberdctl} and also when clustering ejabberd nodes.
This small program is automatically started by Erlang, and is never stopped.
If ejabberd is stopped, and there aren't any other Erlang programs
running in the system, you can safely stop \term{epmd} if you want.
ejabberd runs inside an Erlang node.
To communicate with ejabberd, the script \term{ejabberdctl} starts a new Erlang node
and connects to the Erlang node that holds ejabberd.
In order for this communication to work,
\term{epmd} must be running and listening for name requests in the port 4369.
You should block the port 4369 in the firewall,
so only the programs in your machine can access it.
If you build a cluster of several ejabberd instances,
each ejabberd instance is called an ejabberd node.
Those ejabberd nodes use a special Erlang communication method to
build the cluster, and EPMD is again needed listening in the port 4369.
So, if you plan to build a cluster of ejabberd nodes
you must open the port 4369 for the machines involved in the cluster.
Remember to block the port so Internet doesn't have access to it.
Once an Erlang node solved the node name of another Erlang node using EPMD and port 4369,
the nodes communicate directly.
The ports used in this case are random.
You can limit the range of ports when starting Erlang with a command-line parameter, for example:
\begin{verbatim}
erl ... -kernel inet_dist_listen_min 4370 inet_dist_listen_max 4375
\end{verbatim}
\section{Erlang Cookie}
\label{cookie}
The Erlang cookie is a string with numbers and letters.
An Erlang node reads the cookie at startup from the command-line parameter \term{-setcookie}
or from a cookie file.
Two Erlang nodes communicate only if they have the same cookie.
Setting a cookie on the Erlang node allows you to structure your Erlang network
and define which nodes are allowed to connect to which.
Thanks to Erlang cookies, you can prevent access to the Erlang node by mistake,
for example when there are several Erlang nodes running different programs in the same machine.
Setting a secret cookie is a simple method
to difficult unauthorized access to your Erlang node.
However, the cookie system is not ultimately effective
to prevent unauthorized access or intrusion to an Erlang node.
The communication between Erlang nodes are not encrypted,
so the cookie could be read sniffing the traffic on the network.
The recommended way to secure the Erlang node is to block the port 4369.
\section{Erlang node name}
\label{nodename}
An Erlang node may have a node name.
The name can be short (if indicated with the command-line parameter \term{-sname})
or long (if indicated with the parameter \term{-name}).
Starting an Erlang node with -sname limits the communication between Erlang nodes to the LAN.
Using the option \term{-sname} instead of \term{-name} is a simple method
to difficult unauthorized access to your Erlang node.
However, it is not ultimately effective to prevent access to the Erlang node,
because it may be possible to fake the fact that you are on another network
using a modified version of Erlang \term{epmd}.
The recommended way to secure the Erlang node is to block the port 4369.
\chapter{Integrating ejabberd with other Instant Messaging servers} \chapter{Integrating ejabberd with other Instant Messaging servers}
\section{SRV Records} \section{SRV Records}
\label{srv} \label{srv}