Tutorial/HowTo: ejabberd + jwchat + apache2 on Ubuntu or Debian
Posted by Florian Haas on 27 May 2008 at 11:18 pm | Tagged as: linux
What is jwchat? Jwchat
is a full featured, web-based Jabber™ client.
It uses the HTTP-POLL method to connect to a jabber-server. It is written in Javascript, which is quite nice because you do not open a glaring security-hole by installing it.
I am not going to explain how you set up ejabberd or apache2; there are tons of tutorials out there.
- Go to the jwchat download-page and download it. Extract it to somewhere where the webserver can read it; i put it in /usr/share/jwchat. Alternatively you can just aptitude install jwchat.
- Edit the config.js you can find in jwchat/www . There are two things you want to edit:
-
- The SITENAME. Just put in your servername.
- The httpbases a bit further down. This is the relative path where jwchat will try to contact the jabber-server. Put in anything you want; the default makes sense, though.
- Now comes the part where the jwchat-documentation fails us: we have to configure the apache2 to proxy all requests which go to the httpbase over to the jabber-server. jwchat proposes the following configuration:
DocumentRoot /var/www/jwchat
Options +Indexes +Multiviews
AddDefaultCharset UTF-8
RewriteEngine on
RewriteRule http-poll/ http://127.0.0.1:5280/http-poll/ [P]While this works, it adds a burden to the user: his firewall needs to allow outgoing connections to port 5280. It is way better to keep all connections on one port so that jwchat works in heavily locked-down environments like libraries, universities and schools. This can be achieved by mod_proxy.
- First you have to enable mod_proxy_http and mod_proxy. You can do that by calling a2enmod proxy proxy_http
- Once this is done, put this somewhere into one of your (virtual)host configurations:
ProxyRequests Off
ProxyPass /http-poll/ http://127.0.0.1:5280/http-poll/
ProxyPassReverse /http-poll/ http://127.0.0.1:5280/http-poll/
Allow from all
Alias /jwchat /usr/share/jwchat/www
Options +Indexes +Multiviews +FollowSymLinks
AddDefaultCharset UTF-8
Now the users can go to $example.com/jwchat and use their jabber-accounts without having to install a client.
It is important to note that the username and password are transmited as plaintext; this is dangerous and stupid. Not only will you die, it will also hurt the whole time you’re dieing.
Edit: I was wrong: Jwchat uses DIGEST-MD5. While it is better than nothing, SSL is way more secure, seeing as the IETF is in the process of deprecating DIGEST-MD5 because of the bruteforceability.
Never use jwchat over an unencrypted connection. Be smart and put that whole configuration into an SSL-enabled host. You don’t lose any functionality but gain important security.
Accidentially stumpled upon this:
That’s not true. JWChat (or JSJaC to be precisely) don’t transmit passwords as plaintext if not otherwise told so. Default is to use Digest auth (DIGEST-MD5 if using SASL) for authentication if it’s available by the server.
Zeank, your are right. I’m sorry for posting wrong information.
However, DIGEST-MD5 is on the verge of being deprecated because of the serious security limitations(see http://tools.ietf.org/html/dra.....istoric-00). Current Hard- and Software makes brute-force attacks feasible.
Hi, thanks for pinging me offsite - done wisely!
AFAIK SASL+DIGEST-MD5 have been marked deprected not because of possible cracks of the underlying algorithm but because of being too complicated and generic which leads to missunderstood, bad and incompatible implementations which are inturn a matter of security concerns.
With DIGEST-MD5 your using pretty large strings to be hashed. Brute-force attacks only work for reasonable small strings (some <10 characters or so). But I might by wrong here.
Nevertheless, if you can it’s ALWAYS better to have SSL encrypting for the whole stream.
Thanks for the tutorial… crafty little typo there in the apache2 settings… see wjchat for jwchat.
Thanks for the help!
Hi Dave,
thank you for your comment; i just fixed the Typo.