May 2008

Monthly Archive

Tutorial/HowTo: ejabberd + jwchat + apache2 on Ubuntu or Debian

Posted by Florian Haas on 27 May 2008 | Tagged as:

What is jwchat? Jwchat

is a full featured, web-based Jabber™ client.

It uses the HTTP-POLL method to connect to a jabber-server. It is written in Javascript, which is quite nice because you do not open a glaring security-hole by installing it.

I am not going to explain how you set up ejabberd or apache2; there are tons of tutorials for that out there.

  1. Go to the jwchat download-page and download it. Extract it to somewhere where the webserver can read it; i put it in /usr/share/jwchat. Alternatively you can just aptitude install jwchat.
  2. Edit the config.js you can find in jwchat/www . There are two things you want to edit:
    1. The SITENAME. Just put in your servername.
    2. The httpbases a bit further down. This is the relative path where jwchat will try to contact the jabber-server. Put in anything you want; the default makes sense, though.
  4. Now comes the part where the jwchat-documentation fails us: we have to configure the apache2 to proxy all requests which go to the httpbase over to the jabber-server. jwchat proposes the following configuration:
    DocumentRoot /var/www/jwchat
    Options +Indexes +Multiviews
    AddDefaultCharset UTF-8
    RewriteEngine on
    RewriteRule http-poll/ http://127.0.0.1:5280/http-poll/ [P]

    While this works, it adds a burden to the user: his firewall needs to allow outgoing connections to port 5280. It is way better to keep all connections on one port so that jwchat works in heavily locked-down environments like libraries, universities and schools. This can be achieved by mod_proxy.

  5. First you have to enable mod_proxy_http and mod_proxy. You can do that by calling a2enmod proxy proxy_http
  6. Once this is done, put this somewhere into one of your (virtual)host configurations:ProxyRequests Off
    ProxyPass /http-poll/ http://127.0.0.1:5280/http-poll/
    ProxyPassReverse /http-poll/ http://127.0.0.1:5280/http-poll/
    Allow from all
    Alias /jwchat /usr/share/jwchat/www
    Options +Indexes +Multiviews +FollowSymLinks
    AddDefaultCharset UTF-8
    Now the users can go to $example.com/jwchat and use their jabber-accounts without having to install a client.

It is important to note that the username and password are transmited as plaintext; this is dangerous and stupid. Not only will you die, it will also hurt the whole time you’re dieing.

Edit: I was wrong: Jwchat uses DIGEST-MD5. While it is better than nothing, SSL is way more secure, seeing as the IETF is in the process of deprecating DIGEST-MD5 because of the bruteforceability.

Never use jwchat over an unencrypted connection. Be smart and put that whole configuration into an SSL-enabled host. You don’t lose any functionality but gain important security.

5 Comments »