25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-11-24 16:23:40 +01:00
Commit Graph

50 Commits

Author SHA1 Message Date
Holger Weiss
38f1132192 ejabberd_stun: Omit 'auth_realm' log message
These days, TURN authentication is usually performed using ephemeral
credentials handed out by mod_stun_disco.  In that case, the TURN realm
is irrelevant.  Therefore, omit the misleading log message that warned
about a missing realm configuration.

(Commit 6eb2f07274 reduced the log level
of that message already.)
2024-10-15 22:50:30 +02:00
Badlop
589521bfd8 Update copyright year to 2024 (#4139) 2024-01-22 17:29:13 +01:00
Badlop
243697e25a Update copyright year to 2023 (#3967) 2023-01-10 13:52:04 +01:00
Badlop
b3211b1f71 Update copyright year to 2022 2022-02-11 09:39:25 +01:00
Badlop
6e0161470e Update newest copyright year to 2021 (#3464) 2021-01-27 17:02:06 +01:00
Holger Weiss
6c2bd91f01 ejabberd_stun: Block loopback addresses by default
Don't accept loopback addresses as TURN peers by default.  This makes
sure the TURN service won't allow remote clients to access local UDP
services.

However, this will break the case where the 'turn_ipv4_address' was set
to 127.0.0.1 as fallback and TURN worked "by accident" if both clients
were using the same TURN service.  The service then talked to itself on
the loopback interface.
2021-01-22 16:20:24 +01:00
Holger Weiss
b6f86187f3 Update 'stun' dependency
The 'stun' application now rejects Teredo and 6to4 TURN peers
unconditionally.  Therefore, remove those networks from the default
'turn_blacklist'.
2021-01-22 16:12:48 +01:00
Holger Weiss
e4d6007293 ejabberd_stun: Rename Logger filter
Don't overwrite the Logger filter added by the 'stun' application (which
appends metadata to STUN/TURN log messages).

Closes processone/stun#31.
2020-10-01 16:37:36 +02:00
Holger Weiss
3bf7fbc117 ejabberd_stun: Filter info/debug messages
Update 'stun' dependency, and drop the info/debug messages now logged by
the 'stun' application if OTP's new logging API is used.
2020-07-01 21:53:22 +02:00
Holger Weiss
7a37483307 Rename 'turn_v4_ip' and 'turn_v6_ip' options
The 'turn_ipv4_address' and 'turn_ipv6_address' option names are
probably more intuitive.
2020-05-29 18:40:19 +02:00
Holger Weiss
56d00e427d ejabberd_stun: Add 'turn_blacklist' option
The new 'turn_blacklist' listener option allows for specifying one or
more IP addresses and/or subnet addresses/masks.  The TURN server will
refuse to relay traffic from/to blacklisted IP addresses.  By default,
Teredo and 6to4 addresses are blacklisted, as mandated by RFC 6156
(section 9.1).
2020-05-21 21:46:02 +02:00
Holger Weiss
f19b975e8d mod_stun_disco: Offer local IPv6 services
Also announce local STUN/TURN services listening on IPv6 sockets (unless
the 'offer_local_services' option is set to 'false').
2020-05-19 22:55:12 +02:00
Holger Weiss
83fa637569 ejabberd_stun: Support IPv6 for TURN
The stun application now supports RFC 6156: TURN Extension for IPv6, and
therefore needs separate IPv4 and IPv6 relay addresses.
2020-05-19 21:42:41 +02:00
Holger Weiss
858bfb4b80 Let ejabberd_stun listen on IPv6 sockets
The stun application now allows IPv6 clients to perform STUN requests
and to allocate TURN relays.
2020-05-19 20:22:58 +02:00
Holger Weiss
6eb2f07274 ejabberd_stun: Tone down 'auth_realm' warning
These days, STUN/TURN authentication can be performed with ephemeral
credentials, where the REALM is irrelevant. Therefore, just log an
[info] message rather than a [warning] in the case where no
authentication REALM is configured but multiple virtual domains exist.
2020-04-28 10:34:43 +02:00
Holger Weiss
c55e7b8499 ejabberd_stun: Fix 'turn_ip' fallback
The 'turn_ip' option validator doesn't accept an inet:ip4_address()
tuple.

While at it, change the logic to only perform the fallback address
lookup if no 'turn_ip' is configured (analogous to the fallback
mechanism for the case where the 'auth_realm' is undefined).
2020-04-23 18:32:40 +02:00
Holger Weiss
09a87f5a0c ejabberd_stun: Handle hashed passwords gracefully
Don't crash when STUN/TURN authentication is performed against a
SCRAM-hashed password.
2020-04-22 00:16:03 +02:00
Holger Weiss
1db70edcf8 ejabberd_stun: Add 'stun_get_password' hook
Add a hook that allows modules to offer a password for STUN/TURN
authentication.
2020-04-22 00:09:42 +02:00
Holger Weiss
c836dc66a8 ejabberd_stun: Set a default 'turn_ip'
Try to resolve the local hostname, use the result as the default
'turn_ip', and only log a warning if that fails.  Using the local
hostname's address by default is analogous to mod_proxy65's behavior.
2020-04-20 08:42:32 +02:00
Badlop
2d32c66fd7 Update copyright to 2020 (#3149) 2020-01-28 15:49:23 +01:00
Evgeny Khramtsov
5770946f03 Correctly handle unicode in log messages 2019-09-23 15:17:20 +03:00
Evgeny Khramtsov
a02cff0e78 Use new configuration validator 2019-06-14 12:33:26 +03:00
Evgeny Khramtsov
ed2abe471a Rename listening callback from start/2 to start/3
This will prevent conflicts in callback names in mod_mqtt
Old callback function is still supported.
2019-04-01 16:53:28 +03:00
Badlop
55417dfb37 Update copyright to 2019 (#2756) 2019-01-08 22:53:27 +01:00
Evgeny Khramtsov
73af98a8dc Add forgotten TURN options to validator
Fixes #2621
2018-09-29 23:05:41 +03:00
Evgeny Khramtsov
7ff5f2d3fa Fail early when loading unavailable SIP or STUN modules 2018-09-18 18:19:42 +03:00
Evgeny Khramtsov
03de853e4f Refactor ejabberd_listener 2018-09-18 12:53:36 +03:00
Evgeny Khramtsov
de385591d0 Refactor ejabberd listener API 2018-09-17 11:21:02 +03:00
Evgeniy Khramtsov
50b645aa92 Move shaper to p1_utils repo 2018-07-05 09:31:55 +03:00
Evgeniy Khramtsov
fd8e07af47 Get rid of ejabberd.hrl header
The header consisted of too many unrelated stuff and macros misuse.
Some stuff is moved into scram.hrl and type_compat.hrl.
All macros have been replaced with the corresponding function calls.

TODO: probably type_compat.hrl is not even needed anymore since
we support only Erlang >= OTP 17.5
2018-06-14 14:00:47 +03:00
Evgeniy Khramtsov
4ea481d1dd Add validator for 'accept_interval' listening option 2018-04-30 11:52:00 +03:00
Stu Tomlinson
da81590fef Validate additional listen opts
The options "inet", "inet6" and "backlog" are valid listen options, but are
currently logged as errors (even though they do work):

2018-02-28 16:08:44.141 [error] <0.338.0>@ejabberd_listener:validate_module_option:630 unknown listen option 'backlog' for 'ejabberd_c2s' will be likely ignored, available options are: access, shaper, certfile, ciphers, dhfile, cafile, client_cafile, protocol_options, tls, tls_compression, starttls, starttls_required, tls_verify, zlib, max_fsm_queue

This adds the necessary validators so they are correctly recognized.
2018-02-28 16:14:35 +00:00
Evgeniy Khramtsov
cdc7c1d1ed Update copyright dates 2018-01-05 23:18:58 +03:00
Evgeniy Khramtsov
1698956f34 Rely on Server Name Indication for incoming Direct-TLS connections
This commit also deprecates `certfile` option for ejabberd_http
listener.
2017-12-24 12:27:51 +03:00
Christophe Romain
5c6a37b20f Cleanup some headers 2017-11-10 17:51:22 +01:00
Evgeniy Khramtsov
69de1780a0 Introduce --enable-stun and --enable-sip configure options
STUN/TURN and SIP is not compiled by default anymore.
Use --enable-stun, --enable-sip or --enable-all to enable them.
2017-05-23 13:12:48 +03:00
Evgeniy Khramtsov
cc58ce6301 Introduce Certficate Manager
The major goal is to simplify certificate management in ejabberd.
Currently it requires some effort from a user to configure certficates,
especially in the situation where a lot of virtual domains are hosted.

The task is splitted in several sub-tasks:
* Implement basic certificate validator. The validator should check all
configured certificates for existence, validity, duration and so on. The
validator should not perform any actions in the case of errors except
logging an error message. This is actually implemented by this commit.
* All certificates should be configured inside a single section (something
like 'certfiles') where ejabberd should parse them, check the full-chain,
find the corresponding private keys and, if needed, resort chains and
split the certficates into separate files for easy to use by fast_tls.
* Options like 'domain_certfile', 'c2s_certfile' or 's2s_certfile' should
probably be deprecated, since the process of matching certificates with the
corresponding virtual hosts should be done automatically and these options
only introduce configuration errors without any meaningful purpose.
2017-05-12 16:27:09 +03:00
Evgeniy Khramtsov
d3c8fb7705 Check presence of some files during option validation 2017-05-12 09:34:57 +03:00
Evgeniy Khramtsov
8368a0850a Don't call gen_mod:get_opt() outside of modules 2017-05-08 14:34:35 +03:00
Evgeniy Khramtsov
fddd6110e0 Don't validate an option in gen_mod:get*opt() functions
The changes are very similar to those from previous commit:
* Now there is no need to pass validating function in
  gen_mod:get_opt() and gen_mod:get_module_opt() functions,
  because the modules' configuration keeps already validated values.
* New functions gen_mod:get_opt/2 and gen_mod:get_module_opt/3 are
  introduced.
* Functions gen_mod:get_opt/4 and get_module_opt/5 are deprecated.
  If the functions are still called, the "function" argument is
  simply ignored.
* Validating callback Mod:listen_opt_type/1 is introduced to validate
  listening options at startup.
2017-04-30 19:01:47 +03:00
Christophe Romain
32e5781a6a Cleanup file headers 2017-01-03 15:58:52 +01:00
Badlop
5fdd1c39fe Update copyright date automatically (#1442) 2017-01-02 21:42:06 +01:00
Mickael Remond
b137ee3beb Move to new dependencies for SIP and STUN 2016-02-03 11:26:14 +01:00
Badlop
f448ff608a Update copyright to 2016 (#901) 2016-01-13 12:29:14 +01:00
Badlop
6631078884 Document a few more supported protocols 2015-06-22 13:11:37 +02:00
Evgeniy Khramtsov
c1119b1f39 Remove unused validation code 2015-06-03 16:05:17 +03:00
Evgeniy Khramtsov
fb6267f38e Add config validation at startup 2015-06-01 15:38:27 +03:00
Badlop
0c725b5fac Document protocol support (EJABS-1620) 2015-05-21 17:04:05 +02:00
Christophe Romain
120e581865 Fix missing copyright dates to 2015 (EJAB-1733) 2015-01-21 14:52:37 +01:00
Evgeniy Khramtsov
90a5c054d4 TURN support (EJAB-1017) 2014-05-08 16:14:21 +04:00