I am trying to setup my ejabberd server to allow user registration from a specific ip adress. So far the only time I can register a user is when I change ip_access value to all. But thats not what I want.
Here is part of my config file:
...
acl:
...
loopback:
ip:
- "127.0.0.0/8"
- "xx.xx.xx.xx"
register_networks:
ip:
- "xx.xx.xx.xx"
...
access:
...
register:
all: allow
trusted_network:
loopback: allow
register_network:
register_networks: allow
...
registration_timeout: infinity
...
modules:
...
mod_register:
ip_access: register_network
access: register
...
Neither trusted_network or register_network work. I always get 403 Forbidden error. I am using ejabberd 16.01
you have defined register_networks: in acl but you referred to register_network as the ip_access value.
It might be the issue there.
Regards,
Related
we want to build a simple server component for ejabberd which receives all messages sent to MUC rooms (we have many rooms and new ones are being created all the time) and, after processing some of these messages, performs some operations.
We don't want our server component to act like a bot, so we don't want it to reply to messages or things like that, we just want it to receive copies of all messages in order to process some of them.
To do so, we have followed the tutorial available here: https://sleekxmpp.readthedocs.io/en/latest/getting_started/component.html
The problem is that the component seems to receive only some of the messages (approximately 1 out of 5).
Also, we are observing a weird behavior: message delivery seems to be "exclusive", meaning that a message is delivered either to clients connected to the room or to the server component, which is weird to be honest. In other words, 1 message out of 5 is delivered to the server component, and the other 4 are delivered to clients as usual.
Here's our component code (we have tried with both sleekxmpp and slixmpp but we always have the same behavior):
import sys
import logging
#import sleekxmpp
#from sleekxmpp.componentxmpp import ComponentXMPP
import slixmpp
from slixmpp.componentxmpp import ComponentXMPP
if sys.version_info < (3, 0):
from sleekxmpp.util.misc_ops import setdefaultencoding
setdefaultencoding('utf8')
else:
raw_input = input
class NotificationsComponent(ComponentXMPP):
def __init__(self):
ComponentXMPP.__init__(self, "muc.ourservice.it", "secret", "jabber.ourservice.it", 5233)
# add handler
self.add_event_handler("message", self.message)
#self.add_event_handler("groupchat_message", self.message)
def message(self, msg):
if msg['type'] == 'groupchat':
print('Received group chat message')
print(msg)
#msg.reply('Well received').send()
else:
print('Received another message')
if __name__ == '__main__':
logging.basicConfig(level=logging.DEBUG,format='%(levelname)-8s %(message)s')
xmpp = NotificationsComponent()
xmpp.register_plugin('xep_0030') # Service Discovery
#xmpp.register_plugin('xep_0004') # Data Forms
#xmpp.register_plugin('xep_0060') # PubSub
xmpp.register_plugin('xep_0199') # XMPP Ping
#xmpp.register_plugin('xep_0045') # MUC
# Connect to the XMPP server and start processing XMPP stanzas.
xmpp.connect()
xmpp.process()
and here's a snippet of our ejabberd 18.03 configuration:
listen:
-
port: 5222
ip: "::"
module: ejabberd_c2s
starttls: true
certfile: 'CERTFILE'
protocol_options: 'TLSOPTS'
## dhfile: 'DHFILE'
## ciphers: 'CIPHERS'
##
## To enforce TLS encryption for client connections,
## use this instead of the "starttls" option:
##
starttls_required: true
##
## Stream compression
##
zlib: true
##
max_stanza_size: 65536
shaper: none
access: c2s
-
port: 5280
ip: "::"
module: ejabberd_http
request_handlers:
"/admin": ejabberd_web_admin
"/bosh": mod_bosh
#request_handlers:
# "/ws": ejabberd_http_ws
# "/bosh": mod_bosh
# "/api": mod_http_api
## "/pub/archive": mod_http_fileserver
web_admin: true
http_bind: true
## register: true
captcha: false
certfile: 'CERTFILE'
tls: true
-
port: 5233
ip: "::"
module: ejabberd_service
access: all
privilege_access:
message: "outgoing"
password: "secret"
shaper: none
we have also tried to play with access, privilege_access and things like that but no luck.
Do you have any idea what might cause this weird behavior? Is there any particular plugin or module that should be enabled?
Of course, we have enabled debug logs on both sleekxmpp and ejabberd, but we don't see any errors, it's just that messages are missing.
We also did one more test. Even by using the official "echo component" example available in the slixmpp repository, we have the same issue. So it looks like there is some issue at our server, maybe on the message routing part, we don't know.
Thanks
I think you mixed a couple of things here. The component you created here seems to connect to ejabber as External Component (see https://xmpp.org/extensions/xep-0114.html or https://xmpp.org/extensions/xep-0225.html) judging from http://sleekxmpp.com/getting_started/component.html which means that ejabber (seems to at least) routes some messages to it's internal component and some to your (external) component. This would explain why your component receives only certain messages.
You have two options:
use SleekXMPP but connect as regular user (you can use "bot" example and simply listen for messages without responding)
create dedicated component/handler within ejabberd that would receive all messages and process them accordingly.
Both options has pros and cons:
client-in-room - easier (for you, it seems) development, but require to be constantly connected and may loose some messages if connection is dropped
dedicated handler in ejabberd - most likely slightly more difficult to implement.
It turns out I totally misunderstood the purpose of Jabber external components.
I was expecting to receive a "copy" of all events occurring within ejabberd, but I was wrong.
To achieve the result I was expecting, I'm using a module called "mod_post_log" which sends an HTTP request for every message sent by user. That works for me.
I put an acl policy in /etc/rundeck for my group.
rd-acl test -c application -g "Cloud Team" -a create -G project
Using configured Rundeck etc dir: /etc/rundeck
The decision was: allowed
The test passed
Then I log into Rundeck via the website and I see this:
You have no authorized access to projects.
Contact your administrator. (User roles: ..., Cloud Team, ...)
For good measure, I temporarily made another acl policy for my user.
I pass the test with my user name.
rd-acl test -c application -u myuser -a create -G project
I also tried a group that does not have a space in the name and got the same results.
If it makes a difference, I am logging in using my AD credentials and the groups are being pulled in from AD.
This is in Rundeck 3.0.20-20190408
My acl policy
description: Admin, all access.
context:
project: '.*' # all projects
for:
resource:
- allow: '*' # allow read/create all kinds
adhoc:
- allow: '*' # allow read/running/killing adhoc jobs
job:
- allow: '*' # allow read/write/delete/run/kill of all jobs
node:
- allow: '*' # allow read/run for all nodes
by:
group: Cloud Team
---
description: Admin, all access.
context:
application: 'rundeck'
for:
resource:
- allow: '*' # allow create of projects
project:
- allow: '*' # allow view/admin of all projects
project_acl:
- allow: '*' # allow admin of all project-level ACL policies
storage:
- allow: '*' # allow read/create/update/delete for all /keys/* storage content
by:
group: Cloud Team
I see errors like this in rundeck.access.log
Evaluating Decision for: res<type:resource, kind:project> subject<Username:MyNameHere Group:OneOfMyGroups Group:AnotherGroup Group:Cloud Team> action<create> env<rundeck:auth:env:application:run
deck>: authorized: false: No context matches subject or environment => REJECTED_NO_SUBJECT_OR_ENV_FOUND (0ms)
I'm building a symfony REST Api in which I'm trying to get HWIOAuthBundle, FOSUserBundle and LexikJWTBundle working all together.
I followed this gist for the HWIOAuthBundle/FOSUserBundle integration.
Now I'm getting the facebook login form when hitting the /login route. But after submition I get this error :
[2/2] HttpTransportException: Error while sending HTTP request
[1/2] RequestException: Failed to connect to graph.facebook.com port 443: Bad access
INFO - Matched route "hwi_oauth_service_redirect".
CRITICAL -
Uncaught PHP Exception HWI\Bundle\OAuthBundle\OAuth\Exception\HttpTransportException:
"Error while sending HTTP request"
at C:\myProject\vendor\hwi\oauth-bundle\OAuth\ResourceOwner\AbstractResourceOwner.php
line 257
DEBUG -
Notified event "kernel.request" to listener
"Symfony\Component\EventDispatcher\Debug\WrappedListener::__invoke".
...
I'm now looking for help about this. Or any other way to get those bundles to work together.
config.yml :
hwi_oauth:
# list of names of the firewalls in which this bundle is active, this setting MUST be set
firewall_names: [auth]
http_client:
timeout: 10000
verify_peer: false
max_redirects: 1000
ignore_errors: false
fosub:
username_iterations: 300
properties:
# these properties will be used/redefined later in the custom FOSUBUserProvider service.
facebook: facebook_id
# an optional setting to configure a query string parameter which can be used to redirect
# the user after authentication, e.g. /connect/facebook?_destination=/my/destination will
# redirect the user to /my/destination after facebook authenticates them. If this is not
# set then the user will be redirected to the original resource that they requested, or
# the base address if no resource was requested. This is similar to the behaviour of
# [target_path_parameter for form login](http://symfony.com/doc/2.0/cookbook/security/form_login.html).
# target_path_parameter: _destination
# an optional setting to use the HTTP REFERER header to be used in case no
# previous URL was stored in the session (i.e. no resource was requested).
# This is similar to the behaviour of
# [using the referring URL for form login](http://symfony.com/doc/2.0/cookbook/security/form_login.html#using-the-referring-url).
# use_referer: true
# here you will add one (or more) configurations for resource owners
resource_owners:
facebook:
type: facebook
client_id: {id}
client_secret: {secret}
scope: ""
infos_url: "https://graph.facebook.com/me?fields=name,email,picture.type(square)"
options:
display: popup
security.yml :
firewalls:
auth:
pattern: ^/api/minisite/user/auth
anonymous: true
stateless: true
form_login:
check_path: /api/minisite/user/auth/login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
username_parameter: username
password_parameter: password
require_previous_session: false
oauth:
resource_owners:
facebook: "/api/minisite/user/auth/facebook/login/check-facebook"
login_path: /api/minisite/user/auth/facebook/login
check_path: /api/minisite/user/auth/login_check
failure_path: /api/minisite/user/auth/facebook/login
oauth_user_provider:
#this is my custom user provider, created from FOSUBUserProvider - will manage the
#automatic user registration on your site, with data from the provider (facebook. google, etc.)
service: my_user_provider
logout: true
anonymous: true
access_control:
- { path: ^/api/minisite/user/auth, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/minisite, roles: IS_AUTHENTICATED_FULLY }
Configure this in your config.yml file.
hwi_oauth:
http_client:
verify_peer: false
Setting this allows you to turn off SSL verification.
I got the same problem using HWI on localhost. I don't know, but if it's your case, try to upload your work on a server. The reason of this issue is that your are using the port 80, but facebook need that you use the port 443 or use ipv6.
Hope this help
I would like to pipe all traffic through an NGINX proxy and make sure that the node server won't be accessible directly from the outside.
Node's http module has the ability to listen on a given port on localhost only, is there an option to enable sails.js to do the same?
Simply add this line:
config/local.js
explicitHost: process.env.HOST || 'localhost'
Or you could add a policy:
config/policies.js
module.exports.policies = {
'*': 'isLocal'
}
api/policies/isLocal.coffee
# sessionAuth
#
# #module :: Policy
# #description :: Accept only local connections
# #docs :: http://sailsjs.org/#!documentation/policies
module.exports = (req, res, cb) ->
if req.ip is '127.0.0.1' then cb()
else res.forbidden new Error 'Accept only local connections'
Not sure why you want to use Sails to restrict access to only localhost when you're using nginx as a proxy server (nginx is designed to do what you want). You can use an nginx configuration file to restrict local access to your Sails app.
server {
listen 80;
server_name www.yourSailsApp.com;
...
location / {
allow 127.0.0.1;
deny all;
}
}
You may need to add your site to your HOSTS file /etc/hosts:
127.0.0.1 yourSailsApp.com
Alternatively, you can just find the public IP of your server and use that in the nginx configuration instead, in the allow field.
I'm trying to access the eclipse source code in cvs, but unfortunately, the location I'm at blocks all non-standard tcp/ip ports. I spoke with a sysadmin on the phone, and he recommended that I try to find a way to download the source using the port 80 or port 443 proxy listed at: http://wiki.eclipse.org/CVS_Howto#CVS_and_firewalls
The problem I'm having is that neither of the sites (proxy.eclipse.org:80 and pebbles.eclipse.org:443) do not seem to be available to connect to using either the CVS in eclipse or tortoiseCVS. I've been trying to connect using the following setup:
Host: proxy.eclipse.org
Repository Path: /cvsroot/eclipse
User: Anonymous
Pass: <blank>
Connection Type: pserver
Use Port: 80
I've also tried:
Host: pebbles.eclipse.org
Repository Path: /cvsroot/eclipse
User: Anonymous
Pass: <blank>
Connection Type: pserver
Use Port: 443
Both of these give me the following exception when I try to fetch the module list:
Could not connect to:
I/O exception occurred: No response from server.
Thoughts on this? Perhaps there is a newer server to download the source that I'm missing?
Thanks!
Try contacting webmaster#eclipse.org.