[OPEN-ILS-DEV] A word on 'localhost' / securing Ejabberd

Bill Erickson billserickson at gmail.com
Thu Jun 21 15:11:20 EDT 2007 

I was reading about some of the issues/comments on using "localhost" as the
Jabber domain with Evergreen.   Here's my $0.02:

There are 2 hostnames to consider when configuring jabber and Evergreen:

1. The Jabber domain
  - what host the jabber server is configured to use, including how users
are registred on the server
  - this maps to all of the jabber host information in the OpenSRF config
files
  - It's fine to use 'localhost' for this for single-box installations.

2. The hostname(s) in the <hosts> section of the opensrf.xml file
  - This defines what services each host in the "cluster" runs
  - these hostnames have to be unique, DNS-resolvable hostnames for each
physical machine.  This is basically 'hostname -f' on Linux.
  - even if you are only using one machine, the code performs the equilavent
of 'hostname -f' to find the hostname of the local machine.
  - 'localhost' won't work there.  I've updated the default
opensrf.xml.example in the ILS code tree to evergreen.example.org.

Fortunately, as far as the configuration of the systems go, these two
hostnames have nothing to do with each other.

If you prefer to use localhost (I do for 1-box setups), basic process is:
1. Set all domains to 'localhost' in the OpenSRF configs, except
opensrf.xml(should be the default)
2. Set domain to 'localhost' in the jabber server configuration
3 Register users on the jabber server as user at localhost
4 Set the fully qualified domain name of the machine in the <hosts> section
of opensrf.xml

For the security conscious, you can force Ejabberd to listen on 127.0.0.1,
instead of all IP's by adding {ip, {127,0,0,1}} to any section in the ports
definition like so:

% Ordinary client-2-server service
 [{5222, ejabberd_c2s,     [{access, c2s},
               {max_stanza_size, 1000000},
*--->       {ip, {127,0,0,1}},
               starttls, {certfile, "/etc/ejabberd/ejabberd.pem"},
               {shaper, c2s_shaper}]},


I hope this helps!


-bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.georgialibraries.org/pipermail/open-ils-dev/attachments/20070621/4e83fcbc/attachment.html

More information about the Open-ils-dev mailing list