[OPEN-ILS-DEV] A word on 'localhost' / securing Ejabberd

Scott McKellar mck9 at swbell.net
Thu Jun 21 16:58:19 EDT 2007 

1. Would it be useful and desirable to make "localhost" work for 
opensrf.xml?

2. If so, would it be possible without jumping through too many 
hoops?

3. If so, which source file or files would likely need to be
changed?

Scott McKellar
http://home.swbell.net/mck9/aargh/

--- Bill Erickson <billserickson at gmail.com> wrote:

> I was reading about some of the issues/comments on using "localhost"
> as the
> Jabber domain with Evergreen.   Here's my $0.02:
> 
> There are 2 hostnames to consider when configuring jabber and
> Evergreen:
> 
> 1. The Jabber domain
>   - what host the jabber server is configured to use, including how
> users
> are registred on the server
>   - this maps to all of the jabber host information in the OpenSRF
> config
> files
>   - It's fine to use 'localhost' for this for single-box
> installations.
> 
> 2. The hostname(s) in the <hosts> section of the opensrf.xml file
>   - This defines what services each host in the "cluster" runs
>   - these hostnames have to be unique, DNS-resolvable hostnames for
> each
> physical machine.  This is basically 'hostname -f' on Linux.
>   - even if you are only using one machine, the code performs the
> equilavent
> of 'hostname -f' to find the hostname of the local machine.
>   - 'localhost' won't work there.  I've updated the default
> opensrf.xml.example in the ILS code tree to evergreen.example.org.
> 
> Fortunately, as far as the configuration of the systems go, these two
> hostnames have nothing to do with each other.
> 
> If you prefer to use localhost (I do for 1-box setups), basic process
> is:
> 1. Set all domains to 'localhost' in the OpenSRF configs, except
> opensrf.xml(should be the default)
> 2. Set domain to 'localhost' in the jabber server configuration
> 3 Register users on the jabber server as user at localhost
> 4 Set the fully qualified domain name of the machine in the <hosts>
> section
> of opensrf.xml
> 
> For the security conscious, you can force Ejabberd to listen on
> 127.0.0.1,
> instead of all IP's by adding {ip, {127,0,0,1}} to any section in the
> ports
> definition like so:
> 
> % Ordinary client-2-server service
>  [{5222, ejabberd_c2s,     [{access, c2s},
>                {max_stanza_size, 1000000},
> *--->       {ip, {127,0,0,1}},
>                starttls, {certfile, "/etc/ejabberd/ejabberd.pem"},
>                {shaper, c2s_shaper}]},
> 
> 
> I hope this helps!
> 
> 
> -bill
>

More information about the Open-ils-dev mailing list