/dev/zero

NGINX as a reverse proxy for Prosody

Wed, 20 Jan 2021 09:04:00 +0000

This article describes a simple setup to run Prosody’s mod_http_upload behind a NGINX reverse proxy. You will need (some) knowledge about Prosody and NGINX to follow the steps described in this article.

First things first: Install Prosody according to the Prosody documentation

Configuring Prosody

The following settings need to be present in your configuration (replace example.com with your domain):

--------------------------------------------------------------------
-- This config file is truncated and not complete and just contains
-- settings relevant to this article for better readability
--------------------------------------------------------------------

-- http connection settings
https_ports = { }
http_interfaces = { "127.0.0.1" }

VirtualHost "example.com"
disco_items = {
  { "jabber.example.com" },
}


Component "jabber.example.com" "http_upload"
  http_host = "jabber.example.com"
  http_external_url = "https://jabber.example.com/"

Component "muc.example.com" "muc"
modules_enabled = {
  "vcard_muc",
  "muc_mam",
}

Please make yourself familiar with the security and expiry-settings of Prosody, muc and mod_http_upload.

NGINX Site configuration

We will use NGINX to serve all files. File uploads (PUT requests in this case) are passed to mod_http_upload using the proxy_pass directive.

Create a NGINX Site configuration file for Prosody in /etc/nginx/sites-available/prosody and symlink it from /etc/nginx/sites-enabled/prosody. Replace example.com with your domain name.

# Configuration for mod_http_upload
server {
    server_tokens off;              # hide server tokens
    server_name jabber.example.com; # subdomain for http upload

    listen 443 ssl;
    listen [::]:443 ssl;

    root /var/www/html;             # your default serving directory

    location /upload {
      proxy_buffering off;
      proxy_set_header Host $host;

      # pass PUT requests to mod_http_upload for processing
      if ($request_method = PUT) {
        proxy_pass http://127.0.0.1:5280;
      }

      alias /var/lib/prosody/http_upload;  # storage path of mod_http_upload. NGINX will serve these files to the clients.
    }

    client_max_body_size 10m;

    # certificate management here
}


# Optional http placeholder site for mod_muc subdomain
# You can remove this block if you do not want to deliver a page on the domain.
server {
    server_tokens off;           # hide server tokens
    server_name muc.example.com; # subdomain for MUC

    listen 443 ssl;
    listen [::]:443 ssl;

    root /var/www/html;          # your default serving directory

    # certificate management here
}

Update permissions

At this point NGINX will not be able to read files in the Prosody data directory due to missing permissions. We need to perform following steps to allow read access to the uploaded files written by mod_http_upload to the file upload directory:

Create Group for XMPP Web Data www-data-xmpp
Add prosody to group www-data-xmpp
Add NGINX User www-data to group www-data-xmpp
Modify directory owners

# create a dedicated group
groupadd www-data-xmpp

# add prosody to group
usermod -a -G www-data-xmpp prosody

# add www-data to grouo
usermod -a -G www-data-xmpp www-data

# change owner group of mod_http_upload directory
chgrp -R www-data-xmpp /var/lib/prosody/http_upload/

# change owner group of prosody file system storage
chgrp www-data-xmpp /var/lib/prosody

# set setgid flag for mod_http_upload directory
chmod g+s /var/lib/prosody/http_upload/

Wrapping it up

Restart your prosody server service prosody restart
Reload your NGINX server nginx -s reload
Have fun

Automated OWASP Zap Security Scans

Sat, 27 Jun 2020 09:04:00 +0000

OWASP Zap (aka Zed Attack Proxy) is a security scanner, which scans your web application for security issues. I wrote a blog post on this topic for the Swingletree page.

Using SonarQube branch analysis with GitHub PRs

Sat, 30 Jun 2018 21:04:00 +0000

On my job I have a lot to do with SonarQube. Like many other companies we use this tool to perform static code analysis for our projects.

I was excited when Sonarqube announced the Branch Analysis Feature for its SonarQube Developer Edition, which enabled us to increase the transparency of quality issues for our development branches in relation to our master-branch.

We were using (and still use) the Sonar GitHub Plugin to help developers when approving pull requests. This solution is based on so called Sonar preview-scans, which can cover only a subset of the full Sonar scan and can therefore not compute a useful leak period.

The idea for Swingletree was born. A pretty non-invasive integration using Sonar webhooks and GitHub Apps. More details about the internals of Swingletree can be found in the project’s readme.

Keep in mind you will need a license for the SonarQube Developer Edition (or a higher license edition) to be able to use the Branch Analysis Feature.

Inversion of control in Typescript

Mon, 23 Apr 2018 21:04:00 +0000

When writing Swingletree I came across InversifyJS, which enables us to use Dependency Injection in our TypeScript applications. The refactor-hammer was more than ready to be swung, as soon as I discovered that constructor injection is supported and almost everything is managed via annotations.

So.. how does it look like? Let’s take a look at an injectable class supporting constructor injection:

// omitted other imports for clarity
import { injectable } from "inversify";
import { inject } from "inversify";

@injectable()
class GithubWebhook {
	constructor(
		@inject(EventBus) eventBus: EventBus,
		@inject(ConfigurationService) configService: ConfigurationService
	) {
		this.eventBus = eventBus;
		this.configService = configService;
	}
  
  // ...
}

Everything needs to be strapped together using an inversify container, which takes care of the dependency injections and class instantiation:

import "reflect-metadata";

import { Container } from "inversify";

import { ConfigurationService } from "../configuration";
import EventBus from "../event-bus";
import GithubWebhook from "../github/github-webhook";


const container = new Container();

container.bind<EventBus>(EventBus).toSelf().inSingletonScope();
container.bind<ConfigurationService>(ConfigurationService).toSelf().inSingletonScope();
container.bind<GithubWebhook>(GithubWebhook).toSelf().inSingletonScope();

export default container;

Keep in mind that classes only get instantiated when they are a dependency of an other class. You can manually require them by using this:

container.get<CommitStatusSender>(CommitStatusSender);

Inversify has some very good examples, if you want to get into the details.

Dusty machines and lubuntu

Wed, 11 Apr 2018 21:04:00 +0000

Spring is coming. Therefore my better three-quarter declared global spring cleaning, which led me to the discovery of an old Asus eee 1000H PC. After my duty was done I couldn’t resist to boot it up to lay my eyes upon an antique Windows XP.

The urge to change this was instantly rising and I looked up some lightweight Linux distributions, due to the very limited hardware specifications of this machine (1.6 GHz, 1GB RAM). Lubuntu was one of the candidates, so I downloaded the 32 bit image and prepared an USB stick. This should be an easy job.

So I booted from the USB drive and wanted to install Lubuntu directly without launching the live demo. After I configured the partitions (with encryption) the installer threw an error message and cancelled the installation.

Unsafe swap space detected

A quick Google search revealed the solution to this error. Just boot the live preview of Lubuntu and run the following commands before invoking the installer

# fixes the 'Unsafe swap space detected' error
sudo swapoff --all
# fixes the 'Autopartitioning failed' error (if you use lvm)
sudo apt-get install lvm2

You can read about the solutions here and here

Make sure you are installing the updates during the setup. Without the updates I had issues with the graphic chip driver of the machine resulting in a partial black screen.

After a few hours the system was running; the only thing I need is an use-case now.

More privacy in your network with pihole

Sun, 28 Jan 2018 21:04:00 +0000

“Just set up a PiHole and look, what is going on”. Since my home is not massively IOT’ized I didn’t suspect much traffic going to analytic servers; but a relatively free weekend offered the opportunity for a small side-project.

The setup is very simple. I used a spare Raspberry PI 1 with a 2GB SD card and flashed the latest Raspbian Lite image.

Tip: In case your Raspberry is running headless: Put an empty file named ssh on the SD card after writing the image. The system will then be configured to accept SSH connections.

Just update everything and you will be ready to install Pihole

sudo apt-get update
sudo apt-get upgrade

pihole offers a simple installation method:

curl -sSL https://install.pi-hole.net | bash

Simplicity is great, but be careful, if you install things this way. It is always a good idea to check what the script does before executing it.

You will now be guided through a setup wizard and at the end of it you will have a fully configured pihole. Be sure to note the generated admin password and set your Raspberry up to use a static ip address.

Be sure you configure the pihole as a DHCP server and deactivate all other DHCP servers in your network. Pihole will be able to filter the requests as soon as the cached DNS addresses and DHCP leases are expiring.

Following things I noticed so far:

no ads in apps (on my mobile)
Redirection Ad target sites are blocked
Chromecast is not able to phone home
Tracking sites are blocked

What gets blocked depends on your selection of block lists.

Have fun! :)

Alpine and Oracle Java

Sat, 23 Dec 2017 21:04:00 +0000

So, finally we got an Alpine Repository running. “Let’s build a Java image on top of that, like, right now!”, I greenly said to my colleague, not knowing, that it will not be that easy.

Let’s start with some basic details about Alpine Linux. It is a Linux distribution built on top of musl and BusyBox. Alpine enables us to build very small images, since it is stripped of almost everything.

Alpine Linux is a security-oriented, lightweight Linux distribution based on musl libc and busybox.

Wait a moment.. musl instead of glibc? A quick Google search confirmed the bad feeling I’ve had after receiving the first weird error messages from the freshly built container. Oracle JRE, as well as Oracle JDK are not compatible with musl. Unfortunately, glibc is a hard dependency of these packages. OpenJDK, on the other side, runs (thanks to Project Portola) on musl-based environments.

You will find some instructions on how to run Oracle Java on Alpine, but I sense a “workaroundy” aftertaste in such solutions.