I’m running Prosody at home, with ports open on my router/firewall for c2s and s2s. From everywhere I can connect Pidgin/XMPP to this without problems but another user’s corporate firewall has recently started allowing only outgoing http/s.
Accordingly, I’ve modified the Prosody configuration to support BOSH. On the router, I can direct XMPP traffic arriving from the internet through to the Prosody box. But I can’t direct http/s traffic directly to the Prosody box as I have other web servers all sitting behind a reverse proxy, which is what the router/firewall forwards 443 to. So I added a new vhost on the that reverse proxy, proxypass-ing through to 5280 on the Prosody box. Oh, and I copied the SSL certificate from the Prosody box (which was using it for connections coming in on 5222) over the vhost on the reverse-proxy (so that it can use it for connections coming in on 443). This seems to work: at least I can visit https://jabber.pasta.freemyip.com/http-bind and see the right thing.
So now I myself try what I expect the user behind the corporate firewall is going to have to do: paste that URL into Pidgin/Advanced/BOSH-URL, save and try to connect. But when I do this it fails: the buddy list window simply says “Service unavailable” and the debug window shows the output below.
I’m not sure if this is a Pidgin issue or a Prosody issue, but the Pidgin logs look more useful than the Prosody ones, which say only New BOSH session, assigned it sid ... shortly followed by BOSH client disconnected: session close.
I don’t know if this is relevant: when I create the account in Pidgin, before adding the BOSH URL, the Advanced/Connect-Port is set to 5552. It’s probably meant to be that even once the BOSH URL is entered, but just in case, I changed it to 443 (and then later back) but this made no difference.
Can anybody offer any advise please? Thanks!
(13:23:04) account: Connecting to account alexis@jabber.pasta.freemyip.com/.
(13:23:04) connection: Connecting. gc = 0x55fd5fff83f0
(13:23:04) dnsquery: Performing DNS lookup for jabber.pasta.freemyip.com
(13:23:04) dns: Successfully sent DNS request to child 3812217
(13:23:04) dns: Got response for 'jabber.pasta.freemyip.com'
(13:23:04) dnsquery: IP resolved for jabber.pasta.freemyip.com
(13:23:04) proxy: Attempting connection to 91.64.206.27
(13:23:04) proxy: Connecting to jabber.pasta.freemyip.com:443 with no proxy
(13:23:04) proxy: Connection in progress
(13:23:04) proxy: Connecting to jabber.pasta.freemyip.com:443.
(13:23:04) proxy: Connected to jabber.pasta.freemyip.com:443.
(13:23:04) nss: SSL version 3.4 using 128-bit AES-GCM with 128-bit AEAD MAC
Server Auth: 256-bit TLS 1.3, Key Exchange: 255-bit TLS 1.3, Compression: NULL
Cipher Suite Name: TLS_AES_128_GCM_SHA256
(13:23:04) nss: subject=CN=jabber.pasta.freemyip.com issuer=CN=E5,O=Let's Encrypt,C=US
(13:23:04) nss: partial certificate chain
(13:23:04) certificate/x509/tls_cached: Starting verify for jabber.pasta.freemyip.com
(13:23:04) certificate/x509/tls_cached: Checking for cached cert...
(13:23:04) certificate/x509/tls_cached: ...Found cached cert
(13:23:04) nss/x509: Loading certificate from /home/alexis/.purple/certificates/x509/tls_peers/jabber.pasta.freemyip.com
(13:23:04) certificate/x509/tls_cached: Peer cert matched cached
(13:23:04) nss/x509: Exporting certificate to /home/alexis/.purple/certificates/x509/tls_peers/jabber.pasta.freemyip.com
(13:23:04) util: Writing file /home/alexis/.purple/certificates/x509/tls_peers/jabber.pasta.freemyip.com
(13:23:04) nss: Trusting CN=jabber.pasta.freemyip.com
(13:23:04) certificate: Successfully verified certificate for jabber.pasta.freemyip.com
(13:23:04) jabber: bosh: httpconn 0x55fd5ff9f300 re-connected
(13:23:04) jabber: SendBOSH Boot (ssl)(243): <body content='text/xml; charset=utf-8' secure='true' to='jabber.pasta.freemyip.com' xml:lang='en' xmpp:version='1.0' ver='1.6' xmlns:xmpp='urn:xmpp:xbosh' rid='2907094524842724' wait='60' hold='1' xmlns='http://jabber.org/protocol/httpbind'/>
(13:23:04) jabber: RecvBOSH (ssl)(487): <body inactivity='60' requests='2' xmlns:xmpp='urn:xmpp:xbosh' xmpp:version='1.0' xmlns:stream='http://etherx.jabber.org/streams' authid='6658f3d1-7f37-43ce-8892-821f681f1ea7' from='jabber.pasta.freemyip.com' sid='6658f3d1-7f37-43ce-8892-821f681f1ea7' wait='60' hold='1' polling='5' secure='true' ver='1.6' xmlns='http://jabber.org/protocol/httpbind'><stream:features xmlns='jabber:client'><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls></stream:features></body>
(13:23:04) jabber: BOSH connection manager version 1.6
(13:23:04) jabber: Sending (ssl) (alexis@jabber.pasta.freemyip.com): <iq xmlns='jabber:client' type='get' id='purplea3d30486'><query xmlns='jabber:iq:auth'><username>alexis</username></query></iq>
(13:23:04) jabber: BOSH: Sending an empty request
(13:23:05) jabber: RecvBOSH (ssl)(307): <body xmlns='http://jabber.org/protocol/httpbind' xmlns:stream='http://etherx.jabber.org/streams' sid='6658f3d1-7f37-43ce-8892-821f681f1ea7'><iq id='purplea3d30486' xmlns='jabber:client' type='error'><error type='cancel'><service-unavailable xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/></error></iq></body>
(13:23:05) connection: Connection error on 0x55fd5fff83f0 (reason: 0 description: Service Unavailable)
(13:23:05) jabber: BOSH: Sending an empty request
(13:23:05) account: Disconnecting account alexis@jabber.pasta.freemyip.com/ (0x55fd5fee4bd0)
(13:23:05) connection: Disconnecting connection 0x55fd5fff83f0
(13:23:05) connection: Destroying connection 0x55fd5fff83f0